1. Home
2. Security
3. Kimai Advisory CVE-2024-45048

Affected versions

• Affected versions: <= 2.20.1
• Patched version: 2.21.0
• Advisory published: 17 Sep 2024

Severity

Severity: Medium

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2024-45048 to this issue.

Vulnerability

Kimai was affected by an XML external entity issue through its use of PHPSpreadsheet for invoice import and export handling. In affected versions, a malicious spreadsheet template could trigger XML parsing behavior that allowed local file disclosure during invoice generation.

Exploitation required administrative access to upload a crafted XLSX template, but a successful attack could expose local files and, in edge cases, contribute to more severe outcomes.

Info

This issue was related to spreadsheet template handling in the invoice workflow.

• Kimai used PHPSpreadsheet to load uploaded XLSX templates
• A malicious spreadsheet could trigger XXE behavior during processing
• The practical result was local file read, with possible escalation in special environments
• Exploitation required an System-Admin or someone with equivalent template upload capabilities
• Kimai Cloud is not affected because Twig templates have to pass a manual review process

Solution

Users should update to 2.21.0 or newer.

Credits

• Reported by: ixSly
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-534c-hcr7-67jg