6.1CVSS
5.9AI Score
0.001EPSS
Cross Site Scripting (XSS) vulnerability in kevinpapst kimai2 1.30.0 in /src/Twig/Runtime/MarkdownExtension.php, allows attackers to gain escalated privileges.
9.6CVSS
8.5AI Score
0.002EPSS
4.3CVSS
4.5AI Score
0.001EPSS
4.3CVSS
4.5AI Score
0.001EPSS
6.5CVSS
6.4AI Score
0.001EPSS
kimai2 is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
9CVSS
8.9AI Score
0.001EPSS
6.5CVSS
6.4AI Score
0.001EPSS
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in creating new timesheet in Kimai. By filling the Description field with malicious payload, it will be mistreated while exporting to a CSV file.
7.8CVSS
7.6AI Score
0.001EPSS
Kimai is a web-based multi-user time-tracking application. Versions prior to 2.1.0 are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the so...
7.2CVSS
7.3AI Score
0.001EPSS
Kimai is a web-based multi-user time-tracking application. The permission view_other_timesheet performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the view_other_timesheet permission to true, on the frontend, users can only see timesheet e...
6.8CVSS
6.4AI Score
0.0004EPSS
A vulnerability was found in Kimai up to 2.15.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Session Handler. The manipulation of the argument PHPSESSIONID leads to information disclosure. The attack may be launched remotely. The complexity of...
3.7CVSS
6.3AI Score
0.0004EPSS