1. Home
2. Security
3. Kimai Advisory GHSA-rh42-6rj2-xwmc

Affected versions

• Kimai versions <= 2.52.0 are affected by this security issue
• The issue has been fixed in Kimai 2.53.0
• Severity: Low
• We have not requested an official CVE ID for this security advisory

Description

Kimai allowed invoice Twig templates to access API token related user methods that should not have been exposed in the sandbox. In affected versions, a crafted invoice template could include the hashed API token of the user who generated the invoice in the rendered output.

This issue was caused by an incomplete method blocklist in the Twig security policy.

• Sensitive user methods such as password-related accessors were blocked, but API token methods were not
• A malicious or careless invoice template could therefore access token-related data through the invoice model
• The practical impact is limited because API passwords are deprecated and the leaked value is a hash, not a reusable plaintext token
• Only a System-Admin (with the permission upload_invoice_template) could upload such crafted templates.
• Kimai Cloud is not affected because Twig templates have to pass a manual review process

Users should update to 2.53.0 or newer.

Credits

• Reported by: hett-patell
• Patched by: kevinpapst

First reported in GitHub advisory: GHSA-rh42-6rj2-xwmc