Kimai - Open Source time-tracker Kimai
Start for free

Signed-in users could tamper with other users' favorite timesheet bookmarks

  1. Home
  2. Security
  3. Kimai Advisory GHSA-j5mc-p8qg-39j7

Affected versions

  • Kimai versions <=2.56.0 are affected by this security issue
  • The issue has been fixed in Kimai 2.57.0
  • Severity: low
  • We have not requested an official CVE ID for this security advisory

Description

A flaw in the favorite timesheet feature allowed any signed-in user to add or remove entries from another user’s list of favorite (recent) timesheets. No sensitive data was exposed, but an attacker could disrupt a colleague’s quick-entry workflow by manipulating their bookmark list.

  • All Kimai installations up to and including version 2.56.0 are affected (OnPremise and Cloud).
  • Any signed-in user with the basic start_own_timesheet permission can trigger the issue; no administrative role is required.
  • The attacker needs to know the numeric ID of a timesheet belonging to another user.
  • The add and remove endpoints for favorite timesheets did not verify that the referenced timesheet belongs to the calling user. Instead, the bookmark owner was derived from the timesheet record itself.
  • Impact is limited to the integrity of the victim’s favorite/recent list. The vulnerability does not disclose data, escalate privileges, or modify timesheet records.
  • An attacker can combine the add and remove actions to repeatedly disturb a victim’s quick-entry workflow.

Why we didn’t request a CVE

The manipulated bookmarks are only used to render the “recent activities” list that lets a user quickly restart a previous timesheet. No business data can be tampered with, no records are created, modified, or deleted, and no information is disclosed. At worst, this is an annoyance for the affected user, which does not meet the threshold for a CVE.

Solution

The affected favorite endpoints now apply the is_owner voter against the requested timesheet, so only the actual owner of a timesheet can add it to or remove it from their bookmarks.

Users should update to 2.57.0 or newer.

Credits

  • Reported by: Mitchell45
  • Patched by: kevinpapst

First reported in GitHub advisory: GHSA-j5mc-p8qg-39j7

Top