Kimai
CVE-2024-29200
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Kimai is a web-based multi-user time-tracking application. The permission view_other_timesheet performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the view_other_timesheet permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This vulnerability is fixed in 2.13.0.
AnalysisAI
Kimai is a web-based multi-user time-tracking application. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-1220. Kimai is a web-based multi-user time-tracking application. The permission view_other_timesheet performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the view_other_timesheet permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This vulnerability is fixed in 2.13.0. Affected products include: Kimai.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Kimai is a web-based multi-user time-tracking application. Rated high severity (CVSS 7.2), this vulnerability is remotel
Kimai versions prior to 2.46.0 contain an overly permissive Twig sandbox configuration in the export functionality that
Kimai versions prior to 2.51.0 lack proper customer-level access controls in the invoice API endpoint, allowing any user
Kimai 2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into
A vulnerability was found in Kimai up to 2.15.0 and classified as problematic. Rated medium severity (CVSS 6.5), this vu
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today