CVE-2024-29200

MEDIUM

Kimai - Info Disclosure

Title source: llm

Description

Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This vulnerability is fixed in 2.13.0.

References (1)

[Exploit, Vendor Advisory] https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94

Scores

CVSS v3 6.8

EPSS 0.0028

EPSS Percentile 51.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1220

Status published

Products (2)

kimai/kimai < 2.13.0

kimai/kimai 0 - 2.13.0Packagist

Published Mar 28, 2024

Tracked Since Feb 18, 2026