Moderate severityNVD Advisory· Published Mar 28, 2024· Updated Aug 2, 2024
API returns timesheet entries a user should not be authorized to view
CVE-2024-29200
Description
Kimai is a web-based multi-user time-tracking application. The permission view_other_timesheet performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the view_other_timesheet permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This vulnerability is fixed in 2.13.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
kimai/kimaiPackagist | < 2.13.0 | 2.13.0 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-cj3c-5xpm-cx94ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-29200ghsaADVISORY
- github.com/kimai/kimai/releases/tag/2.13.0ghsaWEB
- github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.