CVE-2023-46245

Name of the Vulnerable Software and Affected Versions Kimai versions prior to 2.1.0

Description Kimai, a web-based multi-user time-tracking application, is vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities. This allows an attacker to execute arbitrary code on the server. The issue is triggered when the software attempts to render invoices.

Recommendations For versions prior to 2.1.0, update to version 2.1.0 or later, which enables security measures for custom Twig templates, mitigating the vulnerability. As a temporary workaround, consider disabling the rendering of custom Twig templates until a patch is available. Restrict access to the invoice rendering functionality to minimize the risk of exploitation. Avoid using the vulnerable PDF and HTML rendering functionalities until the issue is resolved.