Kimai

Menu

• Product
  • Apps & Integrations
  • Demo
  • Blog
  • Support
  • About Kimai
  • Open Source
• Cloud
  • Pricing
  • Changelog
• Self hosting
  • Installation
  • Plugins
  • Forum
• Documentation
  • User manual
  • Cloud
  • Self hosting
  • Developer

English

• Català
• Čeština
• Deutsch
• English
• Español
• Français
• עברית
• Hrvatski
• Italiano
• Dutch
• Polski
• Português (Brasil)
• Slovenčina
• Svenska
• தமிழ்
• Українська
• 中文（繁體）

Start for free

1. Home
2. Security
3. Kimai Advisory CVE-2024-45048

Affected versions

• Kimai versions <= 2.20.1 are affected by this security issue
• The issue has been fixed in Kimai 2.21.0
• Severity: Medium
• The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2024-45048 to this issue

Description

Kimai was affected by an XML external entity issue through its use of PHPSpreadsheet for invoice import and export handling. In affected versions, a malicious spreadsheet template could trigger XML parsing behavior that allowed local file disclosure during invoice generation.

Exploitation required administrative access to upload a crafted XLSX template, but a successful attack could expose local files and, in edge cases, contribute to more severe outcomes.

This issue was related to spreadsheet template handling in the invoice workflow.

• Kimai used PHPSpreadsheet to load uploaded XLSX templates
• A malicious spreadsheet could trigger XXE behavior during processing
• The practical result was local file read, with possible escalation in special environments
• Exploitation required an System-Admin or someone with equivalent template upload capabilities
• Kimai Cloud is not affected because Twig templates have to pass a manual review process

Users should update to 2.21.0 or newer.

Credits

• Reported by: ixSly
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-534c-hcr7-67jg