Stored HTML injection to XSS in kimai/kimai


Reported on

Mar 26th 2023


I hope you are all doing well.

*. I wanted to bring to your attention a potential vulnerability on the website

*. During my research, I discovered that the user name fields are vulnerable to a stored HTML injection attack.

*. Which is reflecting while inviting user part.

Proof of Concept:

*. I have created a video demonstration of the vulnerability and uploaded it to my Google Drive.

*. The link for the video is provided below for your review:

Reproduction Steps:

*. Go to the website

*. Edit your profile.

*. Change username as <a href=>HBT-HACKER BRO TECHNOLOGIES</a>

*. Store it.

*. Then, move on to the team, and create new team.

*. Now, select the user which is holding the user name as <a href=>HBT-HACKER BRO TECHNOLOGIES</a>

*. Check that part rendered the html injection.

*. Which will do open redirect to malicious sites.

*. That's the issue.


*. A stored HTML injection attack occurs when an attacker injects malicious HTML code into legitimate HTML code of a web application.

*. This vulnerability can lead to various types of attacks, including open redirects, phishing attempts, and browser hijacking.

*. Additionally, an attacker can gain access to the victim's IP address, latitude and longitude, and potentially carry out a camera phishing attack.

*. Overall, a stored HTML injection vulnerability can have severe consequences and it is important to prevent and mitigate this type of attack.


*. Restrict special characters and HTML encode attributes in the input fields.

*. Use regular expressions or other techniques to detect and reject malicious input.

*. Avoid embedding user input into emails unless necessary and always HTML-encode user input before embedding it into emails.

*. Implement proper input validation and sanitization measures to prevent this type of vulnerability from occurring in the future.

We are processing your report and will contact the kimai team within 24 hours. a year ago
Manojkumar J modified the report
a year ago
Manojkumar J modified the report
a year ago
Manojkumar J
a year ago



I have escalated stored html injection to the xss.

XSS poc:


"><img src="x" onmouseover="prompt(1);">

We have contacted a member of the kimai team and are waiting to hear back a year ago
Kevin Papst modified the Severity from High (8.3) to Medium (6.7) a year ago
Manojkumar J
a year ago


Hi Kevin,

Thanks for being updated ASAP.

I run a Software market, were we can create and sell applications and softwares. Which is called as Codify360 Technologies. I am looking for authors who can sell their scripts to our clients. I am planning to upload 100 plus erps before starting advertisement and marketing. I would like to invite you as a author. Hope you will be interested in this one.

Another important point is, if you are really satisfied with my findings in kimai, kindly give five star rating in Hacker Bro Technologies google my business page. Just do google search Hacker Bro Technologies and update review about my findings with good content and five star.

Thanks, much appreciated if you help to grow a young entrepreneur.

@admin Can you delete this comment once getting after update from the Kevin? If you even update review for Hacker Bro Technologies much appreciated.


Kevin Papst modified the Severity from Medium (6.7) to Medium (6.4) a year ago
kimai/kimai maintainer has acknowledged this report a year ago
Kevin Papst gave praise a year ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Kevin Papst validated this vulnerability a year ago
thewhiteevil has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Manojkumar J
a year ago


Okay, that's nice. @admin can you delete the above comment, I think kevin was done with reading it out.

Kevin Papst marked this as fixed in 2.0.13 with commit 01226a a year ago
Kevin Papst has been awarded the fix bounty
This vulnerability has now been published a year ago
Kevin Papst
a year ago

Just to clarify: the Kimai version running in the Cloud is not yet released, so this does not need a CVE.

Manojkumar J
a year ago


Okay great! Cheers!

to join this conversation