SB20260420100 - Multiple vulnerabilities in titra

Description

This security bulletin contains information about 2 vulnerabilities.

1) Improperly Controlled Modification of Dynamically-Determined Object Attributes (CVE-ID: CVE-2026-21695)

The vulnerability allows a remote user to modify protected fields in time entries.

The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the REST API endpoint when handling crafted POST requests to /timeentry/create/ with the customfields parameter. A remote user can send a specially crafted request to modify protected fields in time entries.

The issue can be exploited by overwriting fields such as userId, hours, and state through the customfields object, bypassing business logic controls.

2) Improper access control (CVE-ID: CVE-2026-21694)

The vulnerability allows a remote user to disclose sensitive information and modify data in private projects.

The vulnerability exists due to improper access control in the GET /project/timeentries/:projectId, GET /project/timeentriesfordaterange/:projectId/:fromDate/:toDate, and POST /timeentry/create/ endpoints when handling requests referencing another user's project ID. A remote user can send crafted API requests using another user's project ID to disclose sensitive information and modify data in private projects.

The project ID can be obtained through bruteforcing or social engineering.

Remediation

Install update from vendor's website.

References

• https://github.com/kromitgmbh/titra/security/advisories/GHSA-gc65-vr47-jppq
• https://github.com/advisories/GHSA-gc65-vr47-jppq
• https://github.com/kromitgmbh/titra/security/advisories/GHSA-mr2r-wjf8-cj3c
• https://github.com/advisories/GHSA-mr2r-wjf8-cj3c