Moderate severityNVD Advisory· Published Nov 19, 2021· Updated Aug 3, 2024

Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2

CVE-2021-3957

Description

Kimai2 is vulnerable to CSRF in the flush-log endpoint, allowing attackers to delete log files without proper authorization.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Kimai2 is vulnerable to CSRF in the flush-log endpoint, allowing attackers to delete log files without proper authorization.

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in Kimai2's DoctorController at the /flush-log endpoint. The deleteLogfileAction method was originally mapped to GET requests with no CSRF token validation, relying only on the is_granted('system_configuration') permission check. This affects versions prior to commit 6b49535b523dcd36ec59462ee4e67e2b3a9151f3 [1][2].

Exploitation

An attacker can trick a logged-in administrator with system_configuration privileges into visiting a malicious page or clicking a crafted link. The attacker crafts a simple GET request to /flush-log, which triggers log file deletion without any CSRF protection. No additional authentication or interaction beyond the victim's browser session is required [2].

Impact

Successful exploitation allows the attacker to delete the application log file (var/log/YYYY-MM-DD.log). This can result in loss of forensic data and possible denial of service if logging is used for monitoring. The attacker does not gain code execution or data access beyond the log deletion [2].

Mitigation

The fix was introduced in commit 6b49535b523dcd36ec59462ee4e67e2b3a9151f3 on November 19, 2021 [2]. Users should upgrade to a version of Kimai2 that includes this commit or apply the patch manually. No official release version has been announced; the recommended action is to pull the latest code from the repository. No workaround is available for unpatched versions [1][3].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
kevinpapst/kimai2Packagist	< 1.16	1.16

Affected products

ghsa-coords
pkg:composer/kevinpapst/kimai2
Range: < 1.16
kevinpapst/kevinpapst/kimai2v5
Range: unspecified

Patches

6b49535b523d

prevent csrf to flush logs (#2930)

https://github.com/kevinpapst/kimai2Kevin PapstNov 14, 2021via ghsa

commit

2 files changed · +13 −3

src/Controller/DoctorController.php+12 −2 modified

@@ -15,6 +15,8 @@
 use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Annotation\Route;
+use Symfony\Component\Security\Csrf\CsrfToken;
+use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
 
 /**
  * @Route(path="/doctor")
@@ -56,11 +58,19 @@ public function __construct(string $projectDirectory, string $kernelEnvironment,
     }
 
     /**
-     * @Route(path="/flush-log", name="doctor_flush_log", methods={"GET"})
+     * @Route(path="/flush-log/{token}", name="doctor_flush_log", methods={"GET"})
      * @Security("is_granted('system_configuration')")
      */
-    public function deleteLogfileAction(): Response
+    public function deleteLogfileAction(string $token, CsrfTokenManagerInterface $csrfTokenManager): Response
     {
+        if (!$csrfTokenManager->isTokenValid(new CsrfToken('doctor.flush_log', $token))) {
+            $this->flashError('action.delete.error');
+
+            return $this->redirectToRoute('doctor');
+        }
+
+        $csrfTokenManager->refreshToken($token);
+
         $logfile = $this->getLogFilename();
 
         if (file_exists($logfile)) {

templates/doctor/index.html.twig+1 −1 modified

@@ -80,7 +80,7 @@
         {% block box_title %}Logfile (max. {{ logLines }} last lines){% endblock %}
         {% block box_tools %}
             {% if log_delete %}
-                <a class="btn-box-tool confirmation-link" href="{{ path('doctor_flush_log') }}" data-question="confirm.delete"><i class="{{ 'delete'|icon }}"></i></a>
+                <a class="btn-box-tool confirmation-link" href="{{ path('doctor_flush_log', {'token': csrf_token('doctor.flush_log')}) }}" data-question="confirm.delete"><i class="{{ 'delete'|icon }}"></i></a>
             {% endif %}
         {% endblock %}
         {% block box_body %}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-2xwq-h7r9-6w27ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-3957ghsaADVISORY
github.com/kevinpapst/kimai2/commit/6b49535b523dcd36ec59462ee4e67e2b3a9151f3ghsax_refsource_MISCWEB
huntr.dev/bounties/5fa3098a-ba02-45e0-af56-645e34dbc691ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000