| Titolo | Kimai Kimai time tracker < 2.16.0 Insecure direct object references |
|---|
| Descrizione | Currently the application does not have a secure session management mechanism. It was possible to guess a valid value of PHPSESSIONID of another active user, which allowed us to log in and impersonate the targeted user without having to have an account within the Kimai application. The likelihood and impact can also increase due to the lack of rate limiting mechanism. |
|---|
| Fonte | ⚠️ https://github.com/kimai/kimai/releases/tag/2.16.0 |
|---|
| Utente | DeepCove (UID 60341) |
|---|
| Sottomissione | 03/05/2024 14:38 (2 anni fa) |
|---|
| Moderazione | 07/05/2024 07:27 (4 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 263318 [Kimai fino a 2.15.0 Session PHPSESSIONID rivelazione di informazioni] |
|---|
| Punti | 18 |
|---|