Satexd

**Name of the Vulnerable Software and Affected Versions** Kimai versions 2.27.0 through 2.53.x **Description** Users with `ROLE USER` privileges can create a tag containing a formula string (such as `=SUM(54+51)`) via the 'POST /api/tags' endpoint and assign it to a timesheet. The `ArrayFormatter.formatValue()` function joins tag names using `implode()` without sanitization. Consequently, when an administrator exports timesheets to XLSX format, the OpenSpout library treats any string prefixed with `=` as a `FormulaCell`, writing it into the archive. This allows the formula to be evaluated by Excel when the file is opened. The issue stems from the `ArrayFormatter` failing to call `sanitizeDDE()` and the API permitting formula trigger characters like `=`, `+`, `-`, and `@` in tag names. **Recommendations** Update to version 2.54.0. As a temporary workaround, avoid creating tags that begin with `=`, `+`, `-`, or `@` and restrict the use of the 'POST /api/tags' endpoint for untrusted users.