| Title | Kimai Kimai time tracker < 2.16.0 Insecure direct object references |
|---|
| Description | Currently the application does not have a secure session management mechanism. It was possible to guess a valid value of PHPSESSIONID of another active user, which allowed us to log in and impersonate the targeted user without having to have an account within the Kimai application. The likelihood and impact can also increase due to the lack of rate limiting mechanism. |
|---|
| Source | ⚠️ https://github.com/kimai/kimai/releases/tag/2.16.0 |
|---|
| User | DeepCove (UID 60341) |
|---|
| Submission | 05/03/2024 14:38 (2 years ago) |
|---|
| Moderation | 05/07/2024 07:27 (4 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 263318 [Kimai up to 2.15.0 Session PHPSESSIONID information disclosure] |
|---|
| Points | 18 |
|---|