Titra Mass Assignment Vulnerability Allowing Overwrite of Protected Fields

A mass assignment vulnerability has been identified in the Titra time tracking software, specifically in versions through 0.99.48. This vulnerability allows authenticated users to inject arbitrary fields into time entries via the 'customfields' parameter, bypassing established business logic. The affected API endpoint utilizes the JavaScript spread operator to merge user-controlled input directly into the database document. While 'customfields' is validated as an object, there is no restriction on which keys are allowed, enabling attackers to overwrite protected fields such as 'userId', 'hours', and 'state'.

Impact

Exploitation of this vulnerability allows for unauthorized modification of time entry records, including overwriting critical fields like 'userId', 'hours', and 'state', potentially leading to incorrect time tracking and reporting.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/timeentry/create/' endpoint with malicious 'customfields' that include keys for protected fields such as 'state' and 'hours'. This can be done using a tool like curl, by including the 'Authorization' header with a valid API token and the 'customfields' payload in the request body.

Remediation

Users are advised to update to Titra version 0.99.50, where this vulnerability has been patched.