CVE-2021-47967 | THREATINT

Description

PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers can append malicious payloads to login.php, timeclock.php, audit.php, and timerpt.php endpoints, or inject code through from_date and to_date parameters in report requests to execute scripts in user browsers.

PUBLISHED Reserved 2026-05-15 | Published 2026-05-15 | Updated 2026-05-15 | Assigner VulnCheck

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

1.04

affected

Credits

Tyler Butler finder

References

www.exploit-db.com/exploits/49853 (ExploitDB-49853) exploit

timeclock.sourceforge.net (Official Product Homepage) product

sourceforge.net/...k/files/PHP Timeclock/PHP Timeclock 1.04/ (Product Reference) product

www.vulncheck.com/...ple-cross-site-scripting-via-parameters (VulnCheck Advisory: PHP Timeclock 1.04 Multiple Cross-Site Scripting via Parameters) third-party-advisory

cve.org (CVE-2021-47967)

nvd.nist.gov (CVE-2021-47967)

Download JSON