Lucene search
+L

4 matches found

redhatcve
redhatcve
added 2026/06/05 7:49 p.m.11 views

CVE-2026-41498

Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with th...

3.3CVSS5.4AI score0.00247EPSS
Exploits1References1
snyk
snyk
added 2026/04/24 4:17 p.m.5 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the Team API endpoints due to improper authorization checks in the TeamController process. An attacker can gain unauthorized access to modify any team's membership, customer assignments, project assignments, and...

3.3CVSS5.8AI score0.00247EPSS
Exploits1References2
osv
osv
added 2026/04/24 4:17 p.m.4 views

GHSA-JV9X-W4GM-HWCM Kimai has Missing Object-Level Authorization in the Team API

Summary The Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the editteam permission to modify any team, not just teams they are...

3.3CVSS5.8AI score0.00247EPSS
Exploits1References4
github
github
added 2026/04/24 4:17 p.m.18 views

Kimai has Missing Object-Level Authorization in the Team API

Summary The Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the editteam permission to modify any team, not just teams they are...

3.3CVSS5.5AI score0.00247EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder