CRITICAL9.8CVE-2023-53957Kimai contains a SameSite cookie vulnerability from 0, <= 1.30.10
from 0, < 1.1
HIGH7.2Kimai (Authenticated) SSTI to RCE by Uploading a Malicious Twig File
from 0, < 2.1.0
MEDIUM6.8Kimai has an Authenticated Server-Side Template Injection (SSTI)
from 0, < 2.46.0
MEDIUM6.8Kimai API returns timesheet entries a user should not be authorized to view
from 0, < 2.13.0
MEDIUM6.5Kimai's API invoice endpoint missing customer-level access control (IDOR)
from 0, < 2.51.0
MEDIUM6.4Kimai 2 vulnerable to persistent cross-site scripting in the timesheet descriptions
from 0, < 1.1
MEDIUM5.7Kimai vulnerable to formula Injection via tag names in XLSX export
>= 2.27.0, < 2.54.0
MEDIUM5.4Kimai has Stored XSS via Incomplete HTML Attribute Escaping in Team Member Widget
from 0, < 2.53.0
MEDIUM4.3Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate
from 0, < 2.53.0
MEDIUM4.1Kimai has an arbitrary file read in its invoice PDF renderer (admin)
>= 2.32.0, < 2.56
LOW3.7Kimai information disclosure vulnerability
from 0, < 2.16.0
LOW3.3Kimai has Missing Object-Level Authorization in the Team API
from 0, < 2.54.0