Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version 0.99.49 fixes the issue.
Titra, a time tracking application, is vulnerable to Remote Code Execution (RCE). An authenticated administrator can inject malicious code into the application's database, allowing for complete control of the server. This vulnerability poses a significant risk of data exfiltration, system compromise, and denial of service.
Step 1: Authentication: An attacker gains access to a valid administrator account within the Titra application. This could be achieved through credential stuffing, phishing, or exploiting another vulnerability.
Step 2: Payload Injection: The attacker navigates to the configuration section of the application that controls the timeEntryRule setting. They craft a malicious JavaScript payload designed to execute arbitrary commands on the server. This payload could include commands to create a reverse shell, exfiltrate data, or disable security measures.
Step 3: Database Modification: The attacker injects the malicious JavaScript payload into the timeEntryRule field within the database.
Step 4: Code Execution: When the application processes the timeEntryRule (e.g., when a time entry is created or updated), the injected JavaScript payload is executed by the NodeVM instance.
Step 5: System Compromise: The malicious code executes, giving the attacker control over the server. This could involve the attacker creating a reverse shell, exfiltrating sensitive data, or installing malware.
The vulnerability stems from insufficient input validation and sanitization of user-supplied data within the timeEntryRule configuration. Specifically, the application allows an authenticated administrator to modify the timeEntryRule value, which is then passed to a NodeVM instance for execution. The lack of proper sanitization of this input allows an attacker to inject arbitrary JavaScript code. This code is then executed within the context of the server, granting the attacker the ability to execute commands, read files, and potentially gain full control of the system. The root cause is a failure to properly validate and sanitize user-controlled input before passing it to a code execution environment. This is a classic example of an unsafe deserialization vulnerability.