GHSA-427q-jp8v-ww95

Source

https://github.com/advisories/GHSA-427q-jp8v-ww95

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-427q-jp8v-ww95/GHSA-427q-jp8v-ww95.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-427q-jp8v-ww95

Aliases

CVE-2021-3976

Published

2021-11-23T18:16:50Z

Modified

2023-11-01T04:56:11.726655Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Cross-site Scripting in kimai2

Details

CSRF related to duplicate action. (the duplication occurs first before redirecting to edit form). This vulnerability is capable of tricking admin users to duplicate teams.

Database specific

{
    "github_reviewed": true,
    "severity": "MODERATE",
    "nvd_published_at": "2021-11-19T11:15:00Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "github_reviewed_at": "2021-11-22T18:43:54Z"
}

References

Affected packages

Packagist / kevinpapst/kimai2

Package

Name: kevinpapst/kimai2
Purl: pkg:composer/kevinpapst/kimai2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.16.2

Affected versions

0.*

0.1

0.2

0.3

0.4

0.5

0.6

0.6.1

0.7

0.8

0.8.1

0.9

1.*

1.0

1.0.1

1.1

1.2

1.3

1.4

1.4.1

1.4.2

1.5

1.6

1.6.1

1.6.2

1.7

1.8

1.9

1.10

1.10.1

1.10.2

1.11

1.11.1

1.12

1.13

1.14

1.14.1

1.14.2

1.14.3

1.15

1.15.1

1.15.2

1.15.3

1.15.4

1.15.5

1.15.6

1.16

1.16.1