PatchSiren

Timeclock CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM Timeclock CVE published 2026-05-15

CVE-2021-47967

CVE-2021-47967 is a medium-severity cross-site scripting issue affecting PHP Timeclock 1.04. The supplied NVD record says unauthenticated attackers can inject JavaScript through URL paths and POST parameters in login.php, timeclock.php, audit.php, and timerpt.php, including the from_date and to_date parameters used in report requests. The CVE record was published on 2026-05-15 and last modified on 2026-05-18.

HIGH Timeclock CVE published 2026-05-15

CVE-2021-47966

CVE-2021-47966 describes an unauthenticated SQL injection issue in the PHP Timeclock 1.04 login flow. The weakness affects the login_userid parameter in login.php and is reported as both time-based and boolean-based blind SQL injection. In practical terms, this can let an attacker infer and extract database contents without logging in, including sensitive employee information and credentials. The supplied [truncated]