CVE-2024-29200

Опубликовано: 28 мар. 2024

Источник: nvd

CVSS3: 6.8

CVSS3: 6.5

EPSS Низкий

Описание

Kimai is a web-based multi-user time-tracking application. The permission view_other_timesheet performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the view_other_timesheet permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This vulnerability is fixed in 2.13.0.

Ссылки

https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94
Exploit
Vendor Advisory
https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:kimai:kimai:*:*:*:*:*:*:*:*

Версия до 2.13.0 (исключая)

EPSS

Процентиль: 47%

0.00237

Низкий

6.8 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-1220

Связанные уязвимости

GHSA-cj3c-5xpm-cx94

CVSS3: 6.8

github

почти 2 года назад

Kimai API returns timesheet entries a user should not be authorized to view

EPSS

Процентиль: 47%

0.00237

Низкий

6.8 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-1220