A critical remote code execution vulnerability has been discovered in the Titra project time tracking software. This flaw allows an authenticated administrator to execute arbitrary code on the server by manipulating a specific database value, potentially leading to a complete system compromise, data theft, or further network intrusion. Organizations using affected versions of Titra are at high risk and should take immediate action to mitigate this threat.

The vulnerability exists because the application fails to properly sanitize user-supplied input for the timeEntryRule setting. An authenticated user with administrative privileges can modify this value in the database. The application subsequently passes this unsanitized value directly to a NodeVM instance for execution, allowing the attacker to inject and execute arbitrary server-side JavaScript code. This results in a full Remote Code Execution (RCE) on the underlying server, granting the attacker the same level of permissions as the application's user account.

This vulnerability is rated as critical with a CVSS score of 9.1, indicating a high risk to the organization. Successful exploitation could lead to a complete compromise of the server hosting the Titra application. An attacker could exfiltrate sensitive project data, user credentials, and other confidential information, install malware or ransomware, disrupt business operations by taking the service offline, or use the compromised server as a pivot point to attack other systems within the internal network. The potential for data breaches and significant operational downtime poses a severe threat to business continuity and reputation.

Immediate Action: Organizations must immediately upgrade all vulnerable instances of Titra to version 0.99.49 or later, as this version contains the necessary fix. After patching, it is crucial to review access logs for any unusual administrative activity or modifications to the timeEntryRule setting that occurred prior to the update to identify potential signs of a prior compromise.

Proactive Monitoring:

• Log Analysis: Scrutinize application and database logs for any modifications to the timeEntryRule configuration. Monitor for administrator logins from unexpected IP addresses or at unusual times.
• Network Monitoring: Monitor for unusual outbound network connections from the Titra server, which could indicate command-and-control communication or data exfiltration.
• Host-Based Monitoring: Implement file integrity monitoring and watch for the creation of unexpected processes, files, or scheduled tasks on the server, especially those originating from the Titra application process.

Compensating Controls: If patching cannot be performed immediately, the following controls can help reduce risk:

• Strictly limit administrative access to the Titra application to a small number of trusted users and source IP addresses.
• Implement a Web Application Firewall (WAF) with rules designed to detect and block malicious payloads targeting the timeEntryRule parameter.
• Enhance segregation of the Titra server from the rest of the corporate network to limit the potential for lateral movement.

Public Exploit Available: false

Given the critical severity (CVSS 9.1) and the potential for complete system compromise, immediate remediation is strongly recommended. Although this vulnerability requires administrative credentials to exploit, the risk of insider threat or exploitation following a separate credential compromise is significant. Organizations must prioritize applying the patch to all affected Titra instances to prevent potential data breaches, operational disruption, and further network intrusion. While not currently listed on the CISA KEV catalog, its high severity warrants urgent attention.