Kimai
Monthly
Kimai versions prior to 2.51.0 lack proper customer-level access controls in the invoice API endpoint, allowing any user with the TEAMLEAD role to enumerate and read all invoices across the entire system regardless of customer ownership. Public exploit code exists for this authorization bypass vulnerability, which can lead to unauthorized disclosure of sensitive financial and customer data. A patch is available in version 2.51.0 and should be applied immediately.
Kimai 2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into timesheet descriptions. Attackers can insert SVG-based XSS payloads in the description field to execute arbitrary JavaScript when the page is loaded and viewed by other users. [CVSS 6.4 MEDIUM]
Kimai versions prior to 2.46.0 contain an overly permissive Twig sandbox configuration in the export functionality that allows authenticated users with export permissions to execute arbitrary method calls and extract sensitive data such as environment variables, password hashes, and session tokens. Public exploit code exists for this vulnerability. The issue is resolved in version 2.46.0 and later.
Kimai versions prior to 2.51.0 lack proper customer-level access controls in the invoice API endpoint, allowing any user with the TEAMLEAD role to enumerate and read all invoices across the entire system regardless of customer ownership. Public exploit code exists for this authorization bypass vulnerability, which can lead to unauthorized disclosure of sensitive financial and customer data. A patch is available in version 2.51.0 and should be applied immediately.
Kimai 2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into timesheet descriptions. Attackers can insert SVG-based XSS payloads in the description field to execute arbitrary JavaScript when the page is loaded and viewed by other users. [CVSS 6.4 MEDIUM]
Kimai versions prior to 2.46.0 contain an overly permissive Twig sandbox configuration in the export functionality that allows authenticated users with export permissions to execute arbitrary method calls and extract sensitive data such as environment variables, password hashes, and session tokens. Public exploit code exists for this vulnerability. The issue is resolved in version 2.46.0 and later.