Critical severityNVD Advisory· Published Jul 31, 2025· Updated Apr 15, 2026

CVE-2013-10033

Description

An unauthenticated SQL injection vulnerability exists in Kimai version 0.9.2.x via the db_restore.php endpoint. The flaw allows attackers to inject arbitrary SQL queries into the dates[] POST parameter, enabling file write via INTO OUTFILE under specific environmental conditions. This can lead to remote code execution by writing a PHP payload to the web-accessible temporary directory. The vulnerability has been confirmed in versions including 0.9.2.beta, 0.9.2.1294.beta, and 0.9.2.1306-3.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/kimai_sqli.rbnvd
vulners.com/metasploit/MSF:EXPLOIT-UNIX-WEBAPP-KIMAI_SQLI-nvd
www.exploit-db.com/exploits/25606nvd
www.exploit-db.com/exploits/30010nvd
www.vulncheck.com/advisories/kimai-sqlinvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.038
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000