Kevinpapst

**Name of the Vulnerable Software and Affected Versions** Kimai (affected versions not specified) **Description** An incomplete security patch in the client-side `escapeForHtml()` function within `KimaiEscape.js` allows for Stored Cross-Site Scripting (XSS). The function fails to escape double quotes (") and single quotes ('), which are essential for preventing injection in HTML attribute contexts. When user-controlled data, such as a profile alias, is placed in an HTML attribute like 'title=" DISPLAY "' and rendered using `innerHTML`, an attacker can perform HTML attribute injection. This can lead to privilege escalation, where a user with `ROLE USER` permissions executes scripts in the browser session of a user with `ROLE ADMIN` or `ROLE SUPER ADMIN` permissions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Kimai versions prior to 2.51.0 **Description** Kimai is a web-based multi-user time-tracking application. The `GET /api/invoices/{id}` API endpoint only verifies the role-based `view invoice` permission but does not confirm that the requesting user has access to the invoice's customer. A user with the `ROLE TEAMLEAD` role, which grants `view invoice` permission, can access all invoices within the system, even those associated with customers assigned to different teams. The issue stems from the absence of a customer access check in the API endpoint, unlike the web controller which correctly implements this check. The vulnerable code is located in `src/API/InvoiceController.php` lines 92-101. The `getCustomer()` function within `CustomerVoter` verifies team membership, but this check is not applied to the API endpoint. A proof of concept demonstrates that a team lead from one team can read invoices belonging to customers of another team using a simple `curl` request to the affected API endpoint. This allows unauthorized access to sensitive financial information, such as invoice amounts, customer details, and payment terms, potentially compromising data isolation in multi-team deployments. The vulnerable parameter is `id` in the ''/api/invoices/{id}'' endpoint. **Recommendations** Versions prior to 2.51.0 should be updated to version 2.51.0 or later. Add the customer access check to the API endpoint, mirroring the implementation in the web controller. Specifically, include the following expression in the `getAction` function of `src/API/InvoiceController.php`: `#[IsGranted(new Expression("is granted('access', subject.getCustomer())"), 'invoice')]`.

**Name of the Vulnerable Software and Affected Versions** kevinpapst kimai2 version 1.30.0 **Description** The issue is related to a Cross Site Scripting (XSS) vulnerability, which allows attackers to gain escalated privileges. This vulnerability is located in the `/src/Twig/Runtime/MarkdownExtension.php` file. **Recommendations** For kevinpapst kimai2 version 1.30.0, consider disabling the `/src/Twig/Runtime/MarkdownExtension.php` file or restricting access to it until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.