1. Home
2. Security
3. Kimai Advisory CVE-2023-46245

Affected versions

• Kimai versions < 2.1.0 are affected by this security issue
• The issue has been fixed in Kimai 2.1.0
• Severity: High
• The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2023-46245 to this issue

Description

Kimai contained a server-side template injection vulnerability in Twig-based invoice rendering. In affected versions, an authenticated user with the ability to upload a malicious Twig template could execute arbitrary code on the server when the template was rendered.

Because the vulnerable code path was used during invoice generation, a crafted template could escalate from template injection to remote code execution.

This issue affected Twig-based rendering of uploaded invoice templates.

• A malicious Twig file could be uploaded and later executed during invoice generation
• The injected template code ran on the server during rendering
• Successful exploitation could lead to arbitrary command execution
• This turned an authenticated template upload capability into a high-impact server compromise risk
• Exploitation required an System-Admin or someone with equivalent template upload capabilities
• Kimai Cloud is not affected because Twig templates have to pass a manual review process

Users should update to 2.1.0 or newer.

Credits

• Reported by: ixSly
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-fjhg-96cp-6fcw