Cross-site Request Forgery (CSRF) Affecting kevinpapst/kimai2 Open this link in a new tab package, versions <1.16


0.0
medium
  • Attack Complexity

    Low

  • User Interaction

    Required

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

How to fix?

Upgrade kevinpapst/kimai2 to version 1.16 or higher.

Overview

kevinpapst/kimai2 is a web-based multiuser time-tracking application.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via deleting invoice templates.

PoC

<a href="https://{kimai_url}/en/invoice/template/{int}/delete">Some text</a>

References