Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: kimai

Found 3 matching suggestions

View:
Compact
Detailed
Published
Permalink CVE-2026-28685
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 month ago by @mweinelt Activity log
  • Created automatic suggestion 1 month ago
  • @mweinelt accepted 1 month ago
  • @mweinelt published on GitHub 1 month ago
Kimai: API invoice endpoint missing customer-level access control (IDOR)

Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0.

Affected products

kimai
  • ==< 2.51.0

Matching in nixpkgs

pkgs.kimai

Web-based multi-user time-tracking application

Package maintainers

Dismissed
Permalink CVE-2019-25317
6.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 month, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 1 month, 4 weeks ago
  • @LeSuisse dismissed 1 month, 3 weeks ago
Kimai 2- persistent cross-site scripting (XSS)

Kimai 2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into timesheet descriptions. Attackers can insert SVG-based XSS payloads in the description field to execute arbitrary JavaScript when the page is loaded and viewed by other users.

Affected products

Kimai
  • ==2

Matching in nixpkgs

pkgs.kimai

Web-based multi-user time-tracking application

Package maintainers

Upstream patch: https://github.com/kimai/kimai/commit/a0e8aa3a435717187fb12210242dab1b7c97ff3f

Current stable branch was never impacted.
Published
Permalink CVE-2026-23626
6.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 months, 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 3 weeks ago
  • @LeSuisse accepted 2 months, 3 weeks ago
  • @LeSuisse published on GitHub 2 months, 3 weeks ago
Kimai Vulnerable to Authenticated Server-Side Template Injection (SSTI)

Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue.

Affected products

kimai
  • ==< 2.46.0

Matching in nixpkgs

pkgs.kimai

Web-based multi-user time-tracking application

Package maintainers

Upstream advisory: https://github.com/kimai/kimai/security/advisories/GHSA-jg2j-2w24-54cg
Upstream fix: https://github.com/kimai/kimai/commit/6a86afb5fd79f6c1825060b87c09bd1909c2e86f