Vulnerability Description
Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This vulnerability is fixed in 2.13.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kimai | Kimai | < 2.13.0 |
Related Weaknesses (CWE)
References
- https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94ExploitVendor Advisory
- https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94ExploitVendor Advisory
FAQ
What is CVE-2024-29200?
CVE-2024-29200 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When...
How severe is CVE-2024-29200?
CVE-2024-29200 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-29200?
Check the references section above for vendor advisories and patch information. Affected products include: Kimai Kimai.