CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
AI Score
Confidence
Low
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
Kimai is a web-based multi-user time-tracking application. The permission view_other_timesheet
performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the view_other_timesheet
permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This vulnerability is fixed in 2.13.0.
[
{
"vendor": "kimai",
"product": "kimai",
"versions": [
{
"status": "affected",
"version": "< 2.13.0"
}
]
}
]
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
AI Score
Confidence
Low
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial