Authenticated users can preview invoices which they do not have read access to
To demonstrate this vulnerability, we will use tony_teamlead on the demo site.
1: Login as tony_teamlead.
2: Go to Invoices page, see that there is no Haley-Jaskolski invoice document present on the UI.
3: But if tony_teamlead visits https://demo.kimai.org/en/invoice/preview/4/4, they will be able to see Haley-Jaskolski’s invoice document. On the demo-stable website if tony_teamlead visits https://demo-stable.kimai.org/en/invoice/preview/1/4, they will see Crooks Group’s document even though they do not have access to it.
4: Attackers can increment the invoice_id up and down - https://demo.kimai.org/en/invoice/preview/{invoice_id}/{file_export_format}, to retrieve invoice documents they do not have access to.
Authenticated users can access potentially sensitive financial information they do not have access to