CVE-2024-29200

API returns timesheet entries a user should not be authorized to view

CVSS 6.8 MEDIUMEPSS 0.6%CWE-1220

In short

Kimai's API incorrectly returns all timesheet entries to users who should only see timesheets from their teams, even though the web interface correctly restricts this data. This means sensitive time-tracking information can be accessed by unauthorized users through the API.

Technical detail

A permission check inconsistency exists between Kimai's frontend and API implementations for the `view_other_timesheet` permission. The API endpoint fails to enforce team-based filtering when returning timesheet entries, allowing authenticated users with `view_other_timesheet` enabled to retrieve all timesheets regardless of team membership, while the UI correctly restricts visibility to team-scoped entries. The vulnerability affects confidentiality of time-tracking data across the application.

Summary generated and translated by AI from the official description.

Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This vulnerability is fixed in 2.13.0.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Affected products

kimai · kimai

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94