← Back to CVEs
CVE-2024-29200
MEDIUM6.8
Description
Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This vulnerability is fixed in 2.13.0.
CVE Details
CVSS v3.1 Score6.8
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredLOW
User InteractionREQUIRED
Published3/28/2024
Last Modified10/10/2025
Sourcenvd
Honeypot Sightings0
Affected Products
kimai:kimai
Weaknesses (CWE)
CWE-1220
References
https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94(security-advisories@github.com)
https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.