CVE-2023-46245
Kimai (Authenticated) SSTI to RCE by Uploading a Malicious Twig File
In short
Kimai allows authenticated users to upload malicious Twig template files that execute arbitrary code on the server through its PDF and HTML rendering features. This enables attackers with user accounts to take complete control of the application.
Technical detail
An authenticated attacker can upload a specially crafted Twig template file that exploits SSTI in Kimai's PDF/HTML rendering pipeline (CWE-1336), achieving Remote Code Execution. The vulnerability requires valid user credentials and access to the file upload functionality; exploitation occurs when the server processes the malicious template during rendering operations.
Summary generated and translated by AI from the official description.
Kimai is a web-based multi-user time-tracking application. Versions prior to 2.1.0 are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities. Version 2.1.0 enables security measures for custom Twig templates.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
kimai · kimaiWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →