Login Sign Up

CVE-2023-32306

8.8 HIGH
SQL Injection

📋 TL;DR

CVE-2023-32306 is a time-based blind SQL injection vulnerability in Time Tracker's reports.php page that allows attackers to execute arbitrary SQL queries against the database. This affects all Time Tracker installations running versions before 1.22.13.5792. Attackers can potentially extract, modify, or delete sensitive time tracking data.

💻 Affected Systems

Products:
  • Time Tracker
Versions: All versions prior to 1.22.13.5792
Operating Systems: All platforms running Time Tracker
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all installations using the vulnerable reports.php page with default configurations.

📦 What is this software?

Time Tracker by Anuko

View all CVEs affecting Time Tracker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via subsequent attacks.

🟠

Likely Case

Unauthorized access to sensitive time tracking data, employee information, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permission restrictions.

🌐 Internet-Facing: HIGH - Web applications with SQL injection vulnerabilities are prime targets for automated attacks.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this to access sensitive organizational data.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

SQL injection vulnerabilities are commonly weaponized. Exploitation requires POST requests to reports.php with malicious parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.22.13.5792

Vendor Advisory: https://github.com/anuko/timetracker/security/advisories/GHSA-758x-vg7g-j9j3

Restart Required: No

Instructions:

1. Backup your Time Tracker installation and database. 2. Download version 1.22.13.5792 or later from the official repository. 3. Replace the existing installation with the updated version. 4. Verify that reports.php now properly validates all POST parameters.

🔧 Temporary Workarounds

Manual code fix

all

Replace the vulnerable ttReportHelper.class.php file with the fixed version from 1.22.13.5792

cp /path/to/fixed/ttReportHelper.class.php /path/to/timetracker/ttReportHelper.class.php

🧯 If You Can't Patch

  • Implement a web application firewall (WAF) with SQL injection rules
  • Restrict access to reports.php page to authorized users only

🔍 How to Verify

Check if Vulnerable:

Check if your Time Tracker version is below 1.22.13.5792 and review if reports.php validates all POST parameters.

Check Version:

Check the version.php file or admin interface for version information

Verify Fix Applied:

Verify the installation is version 1.22.13.5792 or higher and test that reports.php properly sanitizes input.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to reports.php with SQL keywords
  • Multiple failed login attempts followed by reports.php access

Network Indicators:

  • POST requests to reports.php containing SQL syntax like UNION, SELECT, INSERT

SIEM Query:

source="web_logs" AND uri="/reports.php" AND (request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT" OR request_body CONTAINS "INSERT")

📊 Metadata

CVE ID: CVE-2023-32306
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: May 12, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-32306, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)