Reflected XSS vulnerability

anuko/timetracker is an, open source time tracking system. In affected versions Time Tracker uses browser_today hidden control on a few pages to collect the today's date from user browsers. Because of not checking this parameter for sanity in versions prior to 1.19.30.5601, it was possible to craft an html form with malicious JavaScript, use social engineering to convince logged on users to execute a POST from such form, and have the attacker-supplied JavaScript to be executed in user's browser. This has been patched in version 1.19.30.5600. Upgrade is recommended. If it is not practical, introduce ttValidDbDateFormatDate function as in the latest version and add a call to it within the access checks block.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Anuko TimeTracker 跨站脚本漏洞

Anuko TimeTracker是 （Anuko）开源的一个应用软件。提供一个用PHP编写的基于Web的开源时间跟踪应用程序。 anuko timetracker 存在跨站脚本漏洞，该漏洞源于时间跟踪器在几个页面上使用 browser_today 隐藏控件从用户浏览器收集今天的日期。 由于在 1.19.30.5601 之前的版本中未检查此参数的完整性，因此可以使用恶意 JavaScript 制作 html 表单，使用社会工程说服登录用户从此类表单执行 POST，并让攻击者提供要在用户浏览器中执行的 Ja

N/A

跨站脚本