Lucene search

GitHub Advisory DatabaseGHSA-4JWX-78VX-GM6G

HistoryDec 10, 2021 - 8:34 p.m.

Cross-Site Request Forgery in kimai2

2021-12-1020:34:01

CWE-352

GitHub Advisory Database

github.com

cross-site request forgery

kimai2

saving invoices

modifying status

pending invoices

cancel invoices

software

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

31.3%

JSON

CSRF in saving invoices / modifying status of invoices (pending and cancel only)

Affected configurations

Vulners

Node

kevinpapstkimai2Range<1.16.7

VendorProductVersionCPE
kevinpapstkimai2*cpe:2.3:a:kevinpapst:kimai2:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
kevinpapst	kimai2	*	cpe:2.3:a:kevinpapst:kimai2::::::::

References

github.com/advisories/GHSA-4jwx-78vx-gm6g

github.com/kevinpapst/kimai2/commit/1da26e041df62c10bd8075d78f2db7854d3eee07

huntr.dev/bounties/e05be1f7-d00c-4cfd-9390-ccd9d1c737b7

nvd.nist.gov/vuln/detail/CVE-2021-4033

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

31.3%

JSON

Related for GHSA-4JWX-78VX-GM6G