PT-2022-11865 · Kimai2+1 · Kimai2+1

Published

2022-04-08

Updated

2022-04-14

CVE-2021-43515

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Kimai versions prior to 1.14.1 Kimai 2 versions prior to 1.14.1

Description A CSV Injection issue exists in creating new timesheets in Kimai. By filling the Description field with a malicious payload, it will be mistreated while exporting to a CSV file.

Recommendations For Kimai versions prior to 1.14.1, update to version 1.14.1 or later to resolve the issue. For Kimai 2 versions prior to 1.14.1, update to version 1.14.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Description field in new timesheets until a patch is available.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1236

Related Identifiers

CVE-2021-43515

GHSA-64FQ-9C6W-RQ44

Affected Products

Kimai

Kimai2

PT-2022-11865 · Kimai2+1 · Kimai2+1

CVE-2021-43515

Weakness Enumeration

Related Identifiers

Affected Products

References · 8