1. Home
2. Security
3. Kimai Advisory GHSA-3jp4-mhh4-gcgr

Affected versions

• Kimai versions <= 2.52.0 are affected by this security issue
• The issue has been fixed in Kimai 2.53.0
• Severity: Low
• We have not requested an official CVE ID for this security advisory

Description

Kimai’s SAML authentication flow accepted the RelayState parameter as a redirect target without sufficiently validating the destination. In affected versions, a successful SAML login could therefore redirect users to an attacker-controlled URL.

The issue requires SAML to be enabled and depends on a malicious or manipulated RelayState value being supplied during the authentication flow (e.g. a manipulated URL sent via email).

This issue affected the SAML login flow after successful authentication.

• Kimai accepted the RelayState parameter as a redirect destination without sufficiently validating the target URL
• After a successful SAML login, a user could be redirected to an attacker-controlled website
• The issue only affected installations that had SAML authentication enabled
• Exploitation required control over the SAML flow or an IdP-initiated login scenario with a malicious RelayState value

Users should update to 2.53.0 or newer.

Credits

• Reported by: morimori-dev
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-3jp4-mhh4-gcgr