漏洞标题
在anuko时间跟踪器中的SQL注入
漏洞描述信息
anuko时间跟踪器中的SQL注入
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞类别
N/A
漏洞标题
SQL injection in anuko timetracker
漏洞描述信息
Anuko Time Tracker is an open source, web-based time tracking application written in PHP. UNION SQL injection and time-based blind injection vulnerabilities existed in Time Tracker Puncher plugin in versions of anuko timetracker prior to 1.20.0.5642. This was happening because the Puncher plugin was reusing code from other places and was relying on an unsanitized date parameter in POST requests. Because the parameter was not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database. This issue has been resolved in in version 1.20.0.5642. Users unable to upgrade are advised to add their own checks to input.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
漏洞类别
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
漏洞标题
Anuko Time Tracker SQL注入漏洞
漏洞描述信息
Anuko Time Tracker是个人开发者的一个开源的时间统计系统。用于统计员工在各个工作上花费时间的一个平台。 Anuko Time Tracker 1.20.0.5646之前版本存在SQL注入漏洞,该漏洞源于Puncher插件重用了来自其他地方的代码,并依赖于POST请求中未经处理的日期参数,插件存在UNION SQL注入漏洞和基于时间的盲注入漏洞。
CVSS信息
N/A
漏洞类别
SQL注入