CVE-2022-24708

Name of the Vulnerable Software and Affected Versions Anuko Time Tracker versions prior to 1.20.0.5646

Description Anuko Time Tracker is an open source, web-based time tracking application written in PHP. The issue arises from the ttUser.class.php file not escaping the primary group name for display, allowing a logged-in user to modify it with JavaScript elements. This could lead to the execution of scripts in a user's browser on subsequent requests to pages where the primary group name is displayed.

Recommendations For versions prior to 1.20.0.5646, upgrade to version 1.20.0.5646 to resolve the issue. As a temporary workaround for users unable to upgrade, modify ttUser.class.php to use an additional call to htmlspecialchars when printing the group name.