Unexpected Data Returned Through API Due to Misconfigured Permissions
CVE-2024-29200

6.8MEDIUM

Key Information:

Vendor

Kimai

Status
Kimai
Vendor
CVE Published:
28 March 2024

Badges

📰 News Worthy

What is CVE-2024-29200?

The vulnerability within the Kimai time-tracking application arises from an inconsistency in handling the view_other_timesheet permission between the user interface and the API. In the UI, enabling this permission restricts visibility to timesheet entries related to the user's own teams. Conversely, the API does not respect this restriction, allowing users to access all timesheet entries regardless of team affiliation. This discrepancy poses a security risk by potentially exposing sensitive timesheet information to unauthorized users. The issue has been resolved in Kimai version 2.13.0.

Affected Version(s)

kimai < 2.13.0

News Articles

favicon imageapp.soos.io

Security software, simplified.

SOOS • Don't get cocky with your app sec. Industry leading app sec, all in one dashboard.

References

https://github.com/kimai/kimai/security/advisories/GHSA-c...
x_refsource_CONFIRM

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • 📰

    First article discovered by app.soos.io

  • Vulnerability published

  • Vulnerability Reserved

.