CVE-2021-41156

Name of the Vulnerable Software and Affected Versions anuko/timetracker versions prior to 1.19.30.5601

Description The issue concerns anuko/timetracker, an open-source time tracking system. In affected versions, the system uses a browser today hidden control to collect the current date from user browsers. Due to the lack of sanity checks on this parameter in versions prior to 1.19.30.5601, it is possible to craft an HTML form with malicious JavaScript. An attacker could use social engineering to convince logged-on users to execute a POST request from such a form, resulting in the execution of attacker-supplied JavaScript in the user's browser.

Recommendations For versions prior to 1.19.30.5601, upgrade to version 1.19.30.5601 or later. If an upgrade is not practical, introduce the ttValidDbDateFormatDate function as in the latest version and add a call to it within the access checks block.