kevinpapst/kimai2 is vulnerable to cross-site scripting. An attacker can inject and execute malicious javascript through the project
, customer
, and activity
attributes in the setEntries
function of KimaiRecentActivities.js
as it does not properly escape the user inputs.