| UNION SQL injection and time-based blind injection vulnerabilities existed in Time Tracker Puncher plugin in versions prior to 1.20.0.5642. This was happening because the Puncher plugin was reusing code from other places and was relying on not checked date parameter in POST requests. Because the parameter was not checked, it was possible to craft POST requests with malicious SQL for Time Tracker database. |
