CVE-2024-29200
Last modified
CVE-2024-29200 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. EPSS estimates a 0.64% chance of exploitation in the next 30 days.
Description
Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This vulnerability is fixed in 2.13.0.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Kimai | Kimai | < 2.13.0 |
References
- https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94Exploit, Vendor Advisory
- https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94Exploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-29200?
How severe is CVE-2024-29200?
How do I fix CVE-2024-29200?
Are you affected by CVE-2024-29200?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST