Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2

Valid

Reported on

Nov 15th 2021

Description

CSRF in deleting invoice templates

Proof of Concept

<a href="https://[KIMAi_URL]/en/invoice/template/7/delete">CLICK ME!</a>

Impact

This vulnerability is capable of tricking admin user to delete invoice templates.

We are processing your report and will contact the kevinpapst/kimai2 team within 24 hours. 2 years ago
We have contacted a member of the kevinpapst/kimai2 team and are waiting to hear back 2 years ago
Kevin Papst submitted a
patch
2 years ago
Kevin Papst validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Kevin Papst marked this as fixed with commit 95796a 2 years ago
Kevin Papst has been awarded the fix bounty
This vulnerability will not receive a CVE
Jamie Slome
2 years ago

Admin

CVE published! 🎉

to join this conversation