Moderate severityNVD Advisory· Published Mar 28, 2024· Updated Aug 2, 2024
API returns timesheet entries a user should not be authorized to view
CVE-2024-29200
Description
Kimai is a web-based multi-user time-tracking application. The permission view_other_timesheet performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the view_other_timesheet permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This vulnerability is fixed in 2.13.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
kimai/kimaiPackagist | < 2.13.0 | 2.13.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-cj3c-5xpm-cx94ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-29200ghsaADVISORY
- github.com/kimai/kimai/releases/tag/2.13.0ghsaWEB
- github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.