CVE-2025-69288
Remote Code Execution in Titra via Unsanitized timeEntryRule
Publication date: 2025-12-31
Last updated on: 2025-12-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| titra | titra | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Titra, an open source time tracking software, allows any authenticated Admin user prior to version 0.99.49 to modify the timeEntryRule in the database. The modified value is then executed as code in a NodeVM environment without proper sanitization, leading to Remote Code Execution (RCE). This means an attacker with admin access can run arbitrary code on the server.
How can this vulnerability impact me? :
The vulnerability can lead to Remote Code Execution, allowing an attacker with admin privileges to execute arbitrary code on the server. This can result in full compromise of the system, including data theft, data loss, service disruption, or further attacks within the network.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Titra to version 0.99.49 or later, as this version fixes the vulnerability by preventing unauthenticated Admin users from modifying the timeEntryRule that leads to Remote Code Execution.