kevinpapst/kimai2 is vulnerable to cross-site request forgery. The vulnerability exists in createInvoiceAction
of InvoiceController.php
which allows a malicious attacker to trick users to modify status of invoices and disrupt the tracking of invoices.