Impact
ttUser.class.php in Time Tracker versions prior to 1.20.0.5646 was not escaping primary group name for display. Because of that, it was possible for a logged in user to modify primary group name with elements of JavaScript. Such script could then be executed in user browser on subsequent requests on pages where primary group name was displayed.
Patches
Fixed in version 1.20.0.5646.
Workarounds
Modify getUserPartForHeader function in ttUser.class.php to use an additional call to htmlspecialchars when printing group name.
$user_part .= ', '.htmlspecialchars($this->group_name);
For more information
If you have any questions or comments about this advisory:
indevi0us Analyst
Impact
ttUser.class.php in Time Tracker versions prior to 1.20.0.5646 was not escaping primary group name for display. Because of that, it was possible for a logged in user to modify primary group name with elements of JavaScript. Such script could then be executed in user browser on subsequent requests on pages where primary group name was displayed.
Patches
Fixed in version 1.20.0.5646.
Workarounds
Modify getUserPartForHeader function in ttUser.class.php to use an additional call to htmlspecialchars when printing group name.
$user_part .= ', '.htmlspecialchars($this->group_name);For more information
If you have any questions or comments about this advisory: