Titra Improper Access Control Vulnerability Allowing Unauthorized Time Entry Modification and Viewing

An improper access control vulnerability has been identified in Titra, an open-source time tracking software, affecting versions through 0.99.48. This vulnerability allows users to view and edit time entries of other users in private projects to which they do not have access. The issue arises from inadequate authorization checks on several API endpoints, enabling unauthorized users to manipulate time entry data.

Impact

Exploitation of this vulnerability could lead to unauthorized users gaining access to and modifying sensitive time entry information in private projects, potentially disrupting project management and accountability.

Reproduction

To reproduce this vulnerability, create two user accounts, UserA and UserB. UserA should create a private project and add time entries. UserB can then generate an API token and use it to access UserA's private time entries through the vulnerable endpoints, or to create a time entry in UserA's project, effectively demonstrating the access control flaw.

Remediation

Users are advised to update to Titra version 0.99.50, where this vulnerability has been addressed.