CVE-2023-32308 – Anuko Time Tracker versions before 1.22.11.5781... (How to Fix)

Q: What is the severity of CVE-2023-32308?

CVE-2023-32308 has a CVSS score of 8.2 (HIGH). Anuko Time Tracker versions before 1.22.11.5781 contain a blind SQL injection vulnerability in invoices.php that allows attackers to execute arbitrary SQL queries via crafted POST requests. This can lead to database manipulation, data theft, or system compromise. All users running vulnerable versions are affected.

📋 TL;DR

Anuko Time Tracker versions before 1.22.11.5781 contain a blind SQL injection vulnerability in invoices.php that allows attackers to execute arbitrary SQL queries via crafted POST requests. This can lead to database manipulation, data theft, or system compromise. All users running vulnerable versions are affected.

💻 Affected Systems

Products:

Anuko Time Tracker

Versions: All versions prior to 1.22.11.5781

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations with default configuration. Requires access to the invoices.php endpoint.

📦 What is this software?

Time Tracker by Anuko

View all CVEs affecting Time Tracker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, privilege escalation, and potential remote code execution through database functions.

🟠

Likely Case

Data theft of sensitive information (user credentials, financial data, time tracking records) and potential database corruption.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires sending crafted POST requests to invoices.php. The advisory provides technical details but no public exploit code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.22.11.5781

Vendor Advisory: https://github.com/anuko/timetracker/security/advisories/GHSA-9g2c-7c7g-p58r

Restart Required: No

Instructions:

1. Backup your database and application files. 2. Download version 1.22.11.5781 or later from the official repository. 3. Replace the existing installation with the updated version. 4. Verify the invoices.php file contains the fix from commit 8a7367d7f77ea697c090f5ca4e19669181cc7bcf.

🔧 Temporary Workarounds

Manual code patch

all

Add error checking before calling ttGroupHelper::getActiveInvoices() in invoices.php as suggested in the advisory

Edit invoices.php and add proper error validation before the vulnerable function call

🧯 If You Can't Patch

Implement a web application firewall (WAF) with SQL injection rules
Restrict network access to the Time Tracker application to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Check if your version is below 1.22.11.5781 by examining the version file or checking the application interface

Check Version:

Check the VERSION file in the installation directory or view the application's about page

Verify Fix Applied:

Verify that invoices.php contains the fix from commit 8a7367d7f77ea697c090f5ca4e19669181cc7bcf and version is 1.22.11.5781 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to invoices.php with SQL-like patterns
Database error logs showing SQL syntax errors

Network Indicators:

POST requests to /invoices.php containing SQL keywords (SELECT, UNION, etc.)

SIEM Query:

web.url:*invoices.php AND (http.method:POST) AND (web.query:*SELECT* OR web.query:*UNION* OR web.query:*OR*)

📊 Metadata

CVE ID: CVE-2023-32308

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CWE: CWE-89

Published: May 15, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-32308, you might also want to check these: