Filtered by vendor Kimai
Subscribe
Total
11 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-4596 | 1 Kimai | 1 Kimai | 2025-10-10 | 2.6 LOW | 3.7 LOW |
| A vulnerability was found in Kimai up to 2.15.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Session Handler. The manipulation of the argument PHPSESSIONID leads to information disclosure. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. Upgrading to version 2.16.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-263318 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-29200 | 1 Kimai | 1 Kimai | 2025-10-10 | N/A | 6.8 MEDIUM |
| Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This vulnerability is fixed in 2.13.0. | |||||
| CVE-2020-19825 | 1 Kimai | 1 Kimai | 2025-03-19 | N/A | 9.6 CRITICAL |
| Cross Site Scripting (XSS) vulnerability in kevinpapst kimai2 1.30.0 in /src/Twig/Runtime/MarkdownExtension.php, allows attackers to gain escalated privileges. | |||||
| CVE-2023-46245 | 1 Kimai | 1 Kimai | 2024-11-21 | N/A | 7.2 HIGH |
| Kimai is a web-based multi-user time-tracking application. Versions prior to 2.1.0 are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities. Version 2.1.0 enables security measures for custom Twig templates. | |||||
| CVE-2021-4033 | 1 Kimai | 1 Kimai 2 | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2021-43515 | 1 Kimai | 1 Kimai | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| CSV Injection (aka Excel Macro Injection or Formula Injection) exists in creating new timesheet in Kimai. By filling the Description field with malicious payload, it will be mistreated while exporting to a CSV file. | |||||
| CVE-2021-3985 | 1 Kimai | 1 Kimai2 | 2024-11-21 | 6.0 MEDIUM | 9.0 CRITICAL |
| kimai2 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2021-3976 | 1 Kimai | 1 Kimai 2 | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2021-3963 | 1 Kimai | 1 Kimai 2 | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2021-3957 | 1 Kimai | 1 Kimai 2 | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) | |||||
| CVE-2019-15481 | 1 Kimai | 1 Kimai 2 | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Kimai v2 before 1.1 has XSS via a timesheet description. | |||||