CVE-2021-43851

Name of the Vulnerable Software and Affected Versions: Anuko Time Tracker versions 1.19.33.5606 and prior

Description: Anuko Time Tracker is an open source, web-based time tracking application written in PHP. A SQL injection issue exists in multiple files due to improper checking of the group and status parameters in POST requests. The group parameter is used when navigating between organizational subgroups in the groups.php file. The status parameter is used in multiple files to change the status of an entity, such as making a project, task, or user inactive. This issue has been patched in version 1.19.33.5607.

Recommendations: For versions 1.19.33.5606 and prior, upgrade to version 1.19.33.5607 or later. If an upgrade is not practical, introduce the ttValidStatus function as in the latest version and use it in user input check blocks wherever the status field is used. For the groups.php fix, introduce the ttValidInteger function as in the latest version and use it in the access check block in the file.