CVE-2019-15481

CVE-2019-15481 describes a stored cross-site scripting (XSS) vulnerability in Kimai v2 versions prior to 1.1. The vulnerability exists in the timesheet description field, which does not properly sanitize user input [1]. This allows an attacker to inject malicious scripts that are stored and later executed in the context of the application.

Exploitation requires the ability to submit a timesheet with a crafted description. An authenticated user with permissions to create timesheets can inject arbitrary HTML or JavaScript. When other users view the affected timesheet, the malicious script executes in their browsers, potentially leading to session hijacking, data theft, or other actions [3].

The impact of successful exploitation includes the execution of arbitrary scripts in the context of the Kimai application, which can compromise user credentials, exfiltrate sensitive data, or perform unauthorized actions on behalf of the victim.

The vulnerability was fixed in Kimai version 1.1, released on August 23, 2019 [4]. The fix was implemented in pull request #962, which sanitizes the timesheet description output [3]. Users are advised to upgrade to version 1.1 or later to mitigate this risk.