VYPR
← All advisories
Critical severityNVD Advisory· Published Feb 15, 2023· Updated Mar 19, 2025

CVE-2020-19825

CVE-2020-19825

Description

Cross Site Scripting (XSS) vulnerability in kevinpapst kimai2 1.30.0 in /src/Twig/Runtime/MarkdownExtension.php, allows attackers to gain escalated privileges.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
kimai/kimaiPackagist
< 1.11.1

Affected products

2

Patches

Vulnerability mechanics

Root cause

"Missing output escaping of user-controllable timesheet descriptions before Markdown-to-HTML conversion allows stored cross-site scripting."

Attack vector

An attacker with the ability to create or edit timesheet entries can inject arbitrary JavaScript into the description field. Because the description is rendered via `desc2html` without prior escaping, the malicious script executes in the browsers of other users who view the timesheet (e.g., in export or listing pages). This stored XSS can lead to privilege escalation [CWE-79].

Affected code

The vulnerability resides in `src/Twig/MarkdownExtension.php` and multiple Twig templates (`templates/export/renderer/default.html.twig`, `templates/export/renderer/pdf.html.twig`, `templates/invoice/index.html.twig`, `templates/timesheet/export.html.twig`, `templates/timesheet/index.html.twig`, `templates/timesheet-team/export.html.twig`). These files render user-supplied timesheet descriptions without escaping, allowing stored XSS.

What the fix does

The patch applies the `escape` filter before the `desc2html` filter in all affected Twig templates, ensuring that any HTML/JavaScript in the description is neutralized before being converted to HTML. Additionally, in `src/Twig/MarkdownExtension.php` the second argument to `toHtml()` is changed from `true` to `false`, which disables the option that allowed raw HTML in the Markdown output. Together these changes prevent user-supplied script content from being rendered as executable code.

Preconditions

  • authThe attacker must be able to create or edit timesheet entries (e.g., as a regular user or via any role that can input descriptions).
  • inputThe victim must view a page that renders the attacker's timesheet description (e.g., export, invoice, or timesheet listing).

Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.