Titra Remote Code Execution Vulnerability for Authenticated Admin Users

A remote code execution vulnerability has been identified in Titra, an open-source time tracking software, prior to version 0.99.49. The issue allows any authenticated Admin user to modify the 'timeEntryRule' setting in the database. This unvalidated input is then executed as code within a Node.js virtual machine, leading to arbitrary code execution on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, potentially leading to a full compromise of the host system. Such an attack could also result in a data breach, with access to the entire database including user credentials and project data. Additionally, this vulnerability could be exploited to execute malicious code that persists in the database, affecting all users who interact with the time entry feature.

Reproduction

To reproduce this vulnerability, an authenticated Admin user can update the 'timeEntryRule' setting with a payload that includes malicious JavaScript code. Once the payload is set, the vulnerability can be triggered by creating a new time entry, which will execute the injected code via the NodeVM sandbox.

Remediation

Users are advised to update to Titra version 0.99.49 or later, where this vulnerability has been patched. For those who cannot immediately update, it is recommended to remove or disable the code execution feature in the 'timeEntryRule' setting.