Vulnerability Details : CVE-2021-21352

Anuko Time Tracker is an open source, web-based time tracking application written in PHP. In TimeTracker before version 1.19.24.5415 tokens used in password reset feature in Time Tracker are based on system time and, therefore, are predictable. This opens a window for brute force attacks to guess user tokens and, once successful, change user passwords, including that of a system administrator. This vulnerability is pathced in version 1.19.24.5415 (started to use more secure tokens) with an additional improvement in 1.19.24.5416 (limited an available window for brute force token guessing).
Published 2021-03-03 01:15:13
Updated 2021-03-09 15:51:41
Source GitHub, Inc.
View at NVD,   CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2021-21352

Probability of exploitation activity in the next 30 days: 0.28%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 65 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-21352

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source
5.0
 MEDIUM AV:N/AC:L/Au:N/C:N/I:P/A:N
10.0
2.9
 NIST
9.1
 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
3.9
5.2
 NIST
6.8
 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
2.2
4.0
 GitHub, Inc.

CWE ids for CVE-2021-21352

  • The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
    Assigned by: security-advisories@github.com (Primary)

References for CVE-2021-21352

Products affected by CVE-2021-21352

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!
Accept Close