Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2


Reported on

Nov 16th 2021


CSRF related to duplicate action. (the duplication occurs first before redirecting to edit form)

Proof of Concept

GET /en/admin/teams/{id}/duplicate
GET /en/admin/project/{id}/duplicate


This vulnerability is capable of tricking admin users to duplicate teams


This is probably all the unprotected endpoints for duplicate action vulnerable to CSRF, there may be more, but this is what I have found while looking through the files.


duplicate project backend

duplicate team backend

duplicate team frontend

duplicate team subscriber

duplicate project frontend

We are processing your report and will contact the kevinpapst/kimai2 team within 24 hours. 2 years ago
haxatron modified the report
2 years ago
We have contacted a member of the kevinpapst/kimai2 team and are waiting to hear back 2 years ago
Kevin Papst validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Kevin Papst marked this as fixed with commit b28e9c 2 years ago
Kevin Papst has been awarded the fix bounty
This vulnerability will not receive a CVE
actions.html.twig#L1L15 has been validated
actions.html.twig#L1L15 has been validated
TeamSubscriber.php#L36L39 has been validated
TeamController.php#L87L102 has been validated
Kevin Papst
2 years ago


Thanks @haxatron, I found and fix two more duplicate actions with the same problem :-)

Kevin Papst
2 years ago


Credits, see new release

2 years ago


Thanks, but I think the two other duplicate actions did not duplicate the object before redirecting to the form unlike duplicate project and team I have reported here, so there was no need for the CSRF protection on the two other duplicate actions. :-)

Kevin Papst
2 years ago


Yeah, that was a late night mistake and is already reverted ... having two CSRF protections on one form is probably too much :D

Jamie Slome
2 years ago


CVE published! 🎊

to join this conversation