Lucene search

GitHub Advisory DatabaseGHSA-427Q-JP8V-WW95

HistoryNov 23, 2021 - 6:16 p.m.

Cross-site Scripting in kimai2

2021-11-2318:16:50

CWE-352

GitHub Advisory Database

github.com

cross-site scripting

csrf

kimai2

duplicate teams

admin users

vulnerability

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

31.1%

JSON

CSRF related to duplicate action. (the duplication occurs first before redirecting to edit form). This vulnerability is capable of tricking admin users to duplicate teams.

Affected configurations

Vulners

Node

kevinpapstkimai2Range<1.16.2

VendorProductVersionCPE
kevinpapstkimai2*cpe:2.3:a:kevinpapst:kimai2:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
kevinpapst	kimai2	*	cpe:2.3:a:kevinpapst:kimai2::::::::

References

github.com/advisories/GHSA-427q-jp8v-ww95

github.com/kevinpapst/kimai2/commit/b28e9c120c87222e21a238f1b03a609d6a5d506e

huntr.dev/bounties/0567048a-118c-42ec-9f94-b55533017406

nvd.nist.gov/vuln/detail/CVE-2021-3976

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

31.1%

JSON

Related for GHSA-427Q-JP8V-WW95