CVE-2021-47967

MEDIUM 6.1

PHP Timeclock 1.04 Multiple Cross-Site Scripting via Parameters

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers can append malicious payloads to login.php, timeclock.php, audit.php, and timerpt.php endpoints, or inject code through from_date and to_date parameters in report requests to execute scripts in user browsers.

CWE	CWE-79
Vendor	timeclock
Product	php timeclock
Published	May 15, 2026

Stay Ahead of the Next One

Get instant alerts for timeclock php timeclock

Be the first to know when new medium vulnerabilities affecting timeclock php timeclock are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

None

Availability

None

Affected Versions

Timeclock / PHP Timeclock

1.04

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/49853 timeclock.sourceforge.net: http://timeclock.sourceforge.net sourceforge.net: https://sourceforge.net/projects/timeclock/files/PHP%20Timeclock/PHP%20Timeclock%201.04/ vulncheck.com: https://www.vulncheck.com/advisories/php-timeclock-multiple-cross-site-scripting-via-parameters

Credits

Tyler Butler