4 matches found
CVE-2024-29200
Kimai is a web-based multi-user time-tracking application. The permission viewothertimesheet performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the viewothertimesheet permission to true, on the frontend, users can only see timesheet...
CVE-2024-29200
Kimai is a web-based multi-user time-tracking application. The permission viewothertimesheet performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the viewothertimesheet permission to true, on the frontend, users can only see timesheet...
CVE-2024-29200
Kimai API flaw CVE-2024-29200 exposes timesheet entries to users who should be restricted. The issue stems from inconsistent handling of the view_other_timesheet permission between the UI and API, where the UI restricts data to a user’s teams but the API returns all timesheets when querying /api/...
CVE-2024-29200 API returns timesheet entries a user should not be authorized to view
Kimai is a web-based multi-user time-tracking application. The permission viewothertimesheet performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the viewothertimesheet permission to true, on the frontend, users can only see timesheet...