CVE-2022-24708 is a medium-severity cross-site scripting (XSS) vulnerability affecting Anuko Time Tracker, an open-source, PHP-based web application used for time tracking. The vulnerability exists in versions prior to 1.20.0.5646 within the ttUser.class.php file, specifically in the handling of the primary group name attribute. The application failed to properly escape the primary group name before rendering it on web pages. This improper neutralization of input (CWE-79) allows a logged-in user to inject malicious JavaScript code into the primary group name field. When other users or the same user subsequently view pages displaying this group name, the injected script executes in their browsers. This can lead to session hijacking, credential theft, or other malicious actions performed in the context of the victim’s browser session. The vulnerability requires the attacker to have authenticated access to modify the primary group name, limiting exploitation to users with at least some level of access. No known public exploits have been reported in the wild. The issue was fixed in version 1.20.0.5646 by adding proper escaping using htmlspecialchars when outputting the group name. For users unable to upgrade, a manual patch involving the addition of htmlspecialchars calls in ttUser.class.php is recommended to mitigate the risk.

For European organizations using Anuko Time Tracker versions prior to 1.20.0.5646, this vulnerability poses a risk primarily to the confidentiality and integrity of user sessions and data. Since exploitation requires authenticated access, the threat is limited to insider threats or compromised user accounts. However, successful exploitation could allow attackers to execute arbitrary scripts in the context of other users’ browsers, potentially leading to session hijacking, unauthorized actions, or data leakage. This could disrupt business operations, especially in organizations relying on accurate time tracking for billing, payroll, or project management. The impact on availability is minimal, as the vulnerability does not directly enable denial-of-service conditions. Given the open-source nature of the product and its niche use, the overall risk is moderate but should not be underestimated in environments where sensitive time tracking data is critical.

1. Upgrade Anuko Time Tracker to version 1.20.0.5646 or later, which contains the official fix for this vulnerability. 2. If upgrading is not immediately feasible, apply a manual patch by modifying ttUser.class.php to ensure the primary group name is escaped using PHP’s htmlspecialchars function before output. 3. Implement strict access controls and monitor user permissions to limit who can modify group names, reducing the risk of malicious input. 4. Conduct regular code reviews and security testing focusing on input validation and output encoding to prevent similar XSS issues. 5. Educate users about phishing and social engineering risks, as attackers may attempt to leverage this vulnerability in conjunction with other tactics. 6. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers, mitigating the impact of potential XSS payloads. 7. Monitor web application logs for unusual activity related to group name changes or unexpected script execution patterns.