Kimai is a web-based multi-user time-tracking application. The permission view_other_timesheet performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the view_other_timesheet permission to true, on the frontend, users can only see timesheet.....
6.8CVSS
6.4AI Score
0.0004EPSS
Kimai is a web-based multi-user time-tracking application. Versions prior to 2.1.0 are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the...
7.2CVSS
7.3AI Score
0.001EPSS
Cross Site Scripting (XSS) vulnerability in kevinpapst kimai2 1.30.0 in /src/Twig/Runtime/MarkdownExtension.php, allows attackers to gain escalated...
9.6CVSS
8.5AI Score
0.002EPSS
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in creating new timesheet in Kimai. By filling the Description field with malicious payload, it will be mistreated while exporting to a CSV...
7.8CVSS
7.6AI Score
0.001EPSS
6.5CVSS
6.4AI Score
0.001EPSS
kimai2 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site...
9CVSS
8.9AI Score
0.001EPSS
4.3CVSS
4.5AI Score
0.001EPSS
4.3CVSS
4.5AI Score
0.001EPSS
6.5CVSS
6.4AI Score
0.001EPSS
6.1CVSS
5.9AI Score
0.001EPSS