CVE-2023-32066

Name of the Vulnerable Software and Affected Versions Time Tracker versions 1.22.11.5782 and prior

Description The week view plugin in Time Tracker was not escaping titles for notes in the week view table, allowing a logged-in user to enter notes with JavaScript elements. This could lead to the execution of scripts in the user's browser on subsequent requests to the week view.

Recommendations For versions 1.22.11.5782 and prior, as a temporary workaround, consider using htmlspecialchars when calling $field->setTitle on line #245 in the week.php file until a patch is available. Update to version 1.22.12.5783 to resolve the issue.