Description
PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers can append malicious payloads to login.php, timeclock.php, audit.php, and timerpt.php endpoints, or inject code through from_date and to_date parameters in report requests to execute scripts in user browsers.
Published: 2026-05-15
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PHP Timeclock 1.04 allows an unauthenticated attacker to inject arbitrary JavaScript by appending malicious payloads to endpoints such as login.php, timeclock.php, audit.php, timerpt.php, or by manipulating the from_date and to_date parameters in report requests. The injected code runs in the user's browser, enabling session hijacking, cookie theft, defacement, or other client‑side attacks.

Affected Systems

The vulnerability affects the Timeclock application titled PHP Timeclock, specifically version 1.04. No other product or version information is provided.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity while the EPSS score is not provided, and the vulnerability is not listed in CISA KEV. Attackers can exploit it remotely through standard HTTP requests, requiring no authentication. Though the impact is primarily client‑side, it can be leveraged to compromise user sessions and potentially accrue additional privilege within the web application.

Generated by OpenCVE AI on May 15, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched or newer version of PHP Timeclock that resolves the XSS flaw.
  • If an upgrade is not yet available, configure the web server to deny access to the vulnerable endpoints (login.php, timeclock.php, audit.php, timerpt.php) or restrict them to trusted IP ranges.
  • Implement input validation and output‑encoding for the from_date and to_date parameters, ensuring that user supplied data is properly sanitized before rendering.

Generated by OpenCVE AI on May 15, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers can append malicious payloads to login.php, timeclock.php, audit.php, and timerpt.php endpoints, or inject code through from_date and to_date parameters in report requests to execute scripts in user browsers.
Title PHP Timeclock 1.04 Multiple Cross-Site Scripting via Parameters
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-15T21:14:04.044Z

Reserved: 2026-05-15T16:37:12.642Z

Link: CVE-2021-47967

cve-icon Vulnrichment

Updated: 2026-05-15T21:14:00.289Z

cve-icon NVD

Status : Received

Published: 2026-05-15T19:16:56.433

Modified: 2026-05-15T19:16:56.433

Link: CVE-2021-47967

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T20:30:06Z

Weaknesses