Unvalidated file name

State Resolved
March 2021
Issue ID CJkeLTV2c
Asset Web application
Bounty $100
Reported in January 2021
Reporter Fauzi Bariq Mahya
Severity Low
Visibility Limited
Weakness CWE-641: Improper Restriction of Names for Files and Other Resources


Image URLs are not restricted to Clockify server origins, allowing pictures pointing to other domains.

The rest of the report is undisclosed.