CVE-2021-47967

MEDIUM NVD

CVSS Score 6.1

Severity MEDIUM

Published May 15, 2026

Vendor unknown

Description

PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers can append malicious payloads to login.php, timeclock.php, audit.php, and timerpt.php endpoints, or inject code through from_date and to_date parameters in report requests to execute scripts in user browsers.

References

http://timeclock.sourceforge.net
https://sourceforge.net/projects/timeclock/files/PHP%20Timeclock/PHP%20Timeclock%201.04/
https://www.exploit-db.com/exploits/49853
https://www.vulncheck.com/advisories/php-timeclock-multiple-cross-site-scripting-via-parameters