CVE-2024-29200

Name of the Vulnerable Software and Affected Versions Kimai versions prior to 2.13.0

Description The permission view other timesheet performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the view other timesheet permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This issue affects the confidentiality of timesheet entries.

Recommendations For Kimai versions prior to 2.13.0, update to version 2.13.0 to resolve the issue. As a temporary workaround, consider restricting access to the API endpoint /api/timesheets?user=all to minimize the risk of exploitation. Avoid using the view other timesheet permission until the issue is resolved.