| Title | Kimai Kimai time tracker < 2.16.0 Insecure direct object references |
|---|
| Description | Currently the application does not have a secure session management mechanism. It was possible to guess a valid value of PHPSESSIONID of another active user, which allowed us to log in and impersonate the targeted user without having to have an account within the Kimai application. The likelihood and impact can also increase due to the lack of rate limiting mechanism. |
|---|
| Source | ⚠️ https://github.com/kimai/kimai/releases/tag/2.16.0 |
|---|
| User | DeepCove (ID 60341) |
|---|
| Submission | 2024-05-03 14:38 (27 days ago) |
|---|
| Moderation | 2024-05-07 07:27 (4 days later) |
|---|
| Status | Przyjęty |
|---|
| VulDB Entry | 263318 |
|---|