A critical permission control vulnerability has been discovered in eTimeTrackLite Web software. This flaw allows an unauthenticated attacker to bypass security controls and modify sensitive database connection configurations, potentially leading to a complete compromise of application data, service disruption, or redirection of data to a malicious server.

The vulnerability is a permission control flaw, also known as an Improper Access Control. An unauthenticated remote attacker can access specific application routes that are intended for privileged users only. By accessing these routes, the attacker can directly modify the application's database connection string, allowing them to reconfigure the application to connect to an attacker-controlled database, which could lead to credential theft, data exfiltration, or a denial of service.

This vulnerability is rated as critical severity with a CVSS score of 9.1, posing a significant risk to the organization. Successful exploitation could lead to a severe data breach, as the attacker could intercept all data being sent to and from the application's database, including user credentials and sensitive business information. Furthermore, modifying the database connection could render the application completely inoperable, causing a significant business disruption. The ability for an unauthenticated attacker to execute this attack remotely makes the risk of compromise extremely high.

Immediate Action: Immediately update all instances of eTimeTrackLite Web to the latest version released after 12.0 (20250704) to patch the vulnerability. After patching, it is crucial to monitor for any signs of exploitation attempts by reviewing server access logs for unusual requests to application configuration endpoints.

Proactive Monitoring:

• Monitor web server access logs for requests to sensitive administrative or configuration routes from unexpected or external IP addresses.
• Implement file integrity monitoring on the application's configuration files to detect any unauthorized changes to the database connection settings.
• Monitor network traffic from the application server for any new or unauthorized outbound connections to external database servers.

Compensating Controls:

• If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to block access to the vulnerable configuration routes from unauthorized sources.
• Apply strict network egress filtering on the application server to prevent it from establishing connections to any database server other than the authorized production database.
• Restrict access to the application's administrative interface at the network level, allowing connections only from trusted internal IP addresses.

Public Exploit Available: false

Given the critical CVSS score of 9.1 and the potential for a complete data compromise, it is imperative that organizations prioritize the immediate remediation of this vulnerability. All affected instances of eTimeTrackLite Web must be updated to a patched version without delay. While there is no current evidence of active exploitation, the severity of this flaw means that it is a prime target for threat actors, and a defensive, proactive patching strategy is the only effective mitigation.