Refine your search
7 vulnerabilities found for Kimai by Kimai
CVE-2026-40486 (GCVE-0-2026-40486)
Vulnerability from cvelistv5
Published
2026-04-17 22:35
Modified
2026-04-17 22:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Summary
Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values without checking the isEnabled() flag on preference objects. Although the hourly_rate and internal_rate fields are correctly marked as disabled for users lacking the hourly-rate role permission, the API ignores this restriction and saves the values directly. Any authenticated user can modify their own billing rates through this endpoint, resulting in unauthorized financial tampering affecting invoices and timesheet calculations. This issue has been fixed in version 2.53.0.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"cna": {
"affected": [
{
"product": "kimai",
"vendor": "kimai",
"versions": [
{
"status": "affected",
"version": "\u003c 2.53.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values without checking the isEnabled() flag on preference objects. Although the hourly_rate and internal_rate fields are correctly marked as disabled for users lacking the hourly-rate role permission, the API ignores this restriction and saves the values directly. Any authenticated user can modify their own billing rates through this endpoint, resulting in unauthorized financial tampering affecting invoices and timesheet calculations. This issue has been fixed in version 2.53.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T22:35:53.543Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kimai/kimai/security/advisories/GHSA-qh43-xrjm-4ggp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-qh43-xrjm-4ggp"
},
{
"name": "https://github.com/kimai/kimai/releases/tag/2.53.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kimai/kimai/releases/tag/2.53.0"
}
],
"source": {
"advisory": "GHSA-qh43-xrjm-4ggp",
"discovery": "UNKNOWN"
},
"title": "Kimai\u0027s User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40486",
"datePublished": "2026-04-17T22:35:53.543Z",
"dateReserved": "2026-04-13T19:50:42.114Z",
"dateUpdated": "2026-04-17T22:35:53.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40479 (GCVE-0-2026-40479)
Vulnerability from cvelistv5
Published
2026-04-17 22:31
Modified
2026-04-17 22:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote characters. When a user's profile alias is inserted into an HTML attribute context via the team member form prototype and rendered through innerHTML, this incomplete escaping allows HTML attribute injection. An authenticated user with ROLE_USER privileges can store a malicious alias that executes JavaScript in the browser of any administrator viewing the team form, resulting in stored XSS with privilege escalation. This issue has been fixed in version 2.53.0.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"cna": {
"affected": [
{
"product": "kimai",
"vendor": "kimai",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.16.3, \u003c 2.53.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote characters. When a user\u0027s profile alias is inserted into an HTML attribute context via the team member form prototype and rendered through innerHTML, this incomplete escaping allows HTML attribute injection. An authenticated user with ROLE_USER privileges can store a malicious alias that executes JavaScript in the browser of any administrator viewing the team form, resulting in stored XSS with privilege escalation. This issue has been fixed in version 2.53.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T22:31:29.930Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kimai/kimai/security/advisories/GHSA-g82g-m9vx-vhjg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-g82g-m9vx-vhjg"
},
{
"name": "https://github.com/kimai/kimai/releases/tag/2.53.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kimai/kimai/releases/tag/2.53.0"
}
],
"source": {
"advisory": "GHSA-g82g-m9vx-vhjg",
"discovery": "UNKNOWN"
},
"title": "Kimai: Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40479",
"datePublished": "2026-04-17T22:31:29.930Z",
"dateReserved": "2026-04-13T19:50:42.113Z",
"dateUpdated": "2026-04-17T22:31:29.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28685 (GCVE-0-2026-28685)
Vulnerability from cvelistv5
Published
2026-03-06 04:49
Modified
2026-03-09 19:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28685",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T19:46:43.839705Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T19:46:54.339Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kimai",
"vendor": "kimai",
"versions": [
{
"status": "affected",
"version": "\u003c 2.51.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, \"GET /api/invoices/{id}\" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice\u0027s customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T04:49:08.312Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7"
},
{
"name": "https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kimai/kimai/commit/a0601c8cb28fed1cca19051a8272425069ab758f"
},
{
"name": "https://github.com/kimai/kimai/releases/tag/2.51.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kimai/kimai/releases/tag/2.51.0"
}
],
"source": {
"advisory": "GHSA-v33r-r6h2-8wr7",
"discovery": "UNKNOWN"
},
"title": "Kimai: API invoice endpoint missing customer-level access control (IDOR)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28685",
"datePublished": "2026-03-06T04:49:08.312Z",
"dateReserved": "2026-03-02T21:43:19.927Z",
"dateUpdated": "2026-03-09T19:46:54.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23626 (GCVE-0-2026-23626)
Vulnerability from cvelistv5
Published
2026-01-18 22:45
Modified
2026-01-20 20:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Summary
Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T19:37:30.485752Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T20:07:08.477Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kimai",
"vendor": "kimai",
"versions": [
{
"status": "affected",
"version": "\u003c 2.46.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai\u0027s export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-18T22:45:35.942Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg"
},
{
"name": "https://github.com/kimai/kimai/pull/5757",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kimai/kimai/pull/5757"
},
{
"name": "https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f"
},
{
"name": "https://github.com/kimai/kimai/releases/tag/2.46.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kimai/kimai/releases/tag/2.46.0"
}
],
"source": {
"advisory": "GHSA-jg2j-2w24-54cg",
"discovery": "UNKNOWN"
},
"title": "Kimai Vulnerable to Authenticated Server-Side Template Injection (SSTI)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23626",
"datePublished": "2026-01-18T22:45:35.942Z",
"dateReserved": "2026-01-14T16:08:37.482Z",
"dateUpdated": "2026-01-20T20:07:08.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53957 (GCVE-0-2023-53957)
Vulnerability from cvelistv5
Published
2025-12-19 21:05
Modified
2026-04-07 14:08
Severity ?
8.5 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
VLAI Severity ?
EPSS score ?
CWE
- CWE-1275 - Sensitive Cookie with Improper SameSite Attribute
Summary
Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session hijacking.
References
| URL | Tags | |
|---|---|---|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-53957",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T21:36:13.015775Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T21:41:07.772Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Kimai",
"vendor": "Kimai",
"versions": [
{
"status": "affected",
"version": "1.30.10"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kimai:kimai:1.30.10:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "nu11secur1ty"
}
],
"datePublic": "2023-04-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session hijacking."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1275",
"description": "Sensitive Cookie with Improper SameSite Attribute",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:08:11.817Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-51278",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/51278"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://github.com/kimai/kimai/releases/tag/1.30.10"
},
{
"name": "VulnCheck Advisory: Kimai 1.30.10 SameSite Cookie Vulnerability Session Hijacking",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/kimai-samesite-cookie-vulnerability-session-hijacking"
}
],
"title": "Kimai 1.30.10 SameSite Cookie Vulnerability Session Hijacking",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2023-53957",
"datePublished": "2025-12-19T21:05:52.561Z",
"dateReserved": "2025-12-19T14:03:57.723Z",
"dateUpdated": "2026-04-07T14:08:11.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-29200 (GCVE-0-2024-29200)
Vulnerability from cvelistv5
Published
2024-03-28 13:28
Modified
2024-08-02 01:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1220 - Insufficient Granularity of Access Control
Summary
Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This vulnerability is fixed in 2.13.0.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29200",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T15:54:22.072724Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:19.276Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.793Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "kimai",
"vendor": "kimai",
"versions": [
{
"status": "affected",
"version": "\u003c 2.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This vulnerability is fixed in 2.13.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220: Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-28T13:28:36.005Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94"
}
],
"source": {
"advisory": "GHSA-cj3c-5xpm-cx94",
"discovery": "UNKNOWN"
},
"title": "API returns timesheet entries a user should not be authorized to view"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29200",
"datePublished": "2024-03-28T13:28:36.005Z",
"dateReserved": "2024-03-18T17:07:00.096Z",
"dateUpdated": "2024-08-02T01:10:54.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46245 (GCVE-0-2023-46245)
Vulnerability from cvelistv5
Published
2023-10-31 15:06
Modified
2024-08-02 20:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Summary
Kimai is a web-based multi-user time-tracking application. Versions prior to 2.1.0 are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities. Version 2.1.0 enables security measures for custom Twig templates.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:40.150Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/kimai/kimai/security/advisories/GHSA-fjhg-96cp-6fcw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-fjhg-96cp-6fcw"
},
{
"name": "https://github.com/kimai/kimai/commit/38e37f1c2e91e1acb221ec5c13f11b735bd50ae4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kimai/kimai/commit/38e37f1c2e91e1acb221ec5c13f11b735bd50ae4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "kimai",
"vendor": "kimai",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kimai is a web-based multi-user time-tracking application. Versions prior to 2.1.0 are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software\u0027s PDF and HTML rendering functionalities. Version 2.1.0 enables security measures for custom Twig templates."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-12T16:38:46.831Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kimai/kimai/security/advisories/GHSA-fjhg-96cp-6fcw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-fjhg-96cp-6fcw"
},
{
"name": "https://github.com/kimai/kimai/commit/38e37f1c2e91e1acb221ec5c13f11b735bd50ae4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kimai/kimai/commit/38e37f1c2e91e1acb221ec5c13f11b735bd50ae4"
}
],
"source": {
"advisory": "GHSA-fjhg-96cp-6fcw",
"discovery": "UNKNOWN"
},
"title": "Kimai (Authenticated) SSTI to RCE by Uploading a Malicious Twig File"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46245",
"datePublished": "2023-10-31T15:06:23.359Z",
"dateReserved": "2023-10-19T20:34:00.948Z",
"dateUpdated": "2024-08-02T20:37:40.150Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}