CVE-2021-47967

MEDIUM CVSS 6.1 View on NVD ↗

Description

PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers can append malicious payloads to login.php, timeclock.php, audit.php, and timerpt.php endpoints, or inject code through from_date and to_date parameters in report requests to execute scripts in user browsers.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

http://timeclock.sourceforge.net
https://sourceforge.net/projects/timeclock/files/PHP%20Timeclock/PHP%20Timeclock%201.04/
https://www.exploit-db.com/exploits/49853
https://www.vulncheck.com/advisories/php-timeclock-multiple-cross-site-scripting-via-parameters

Published: May 15, 2026 19:16 UTC Modified: May 15, 2026 19:16 UTC