GHSA-427q-jp8v-ww95

Suggest an improvement
Source
https://github.com/advisories/GHSA-427q-jp8v-ww95
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-427q-jp8v-ww95/GHSA-427q-jp8v-ww95.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-427q-jp8v-ww95
Aliases
Published
2021-11-23T18:16:50Z
Modified
2023-11-01T04:56:11.726655Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Cross-site Scripting in kimai2
Details

CSRF related to duplicate action. (the duplication occurs first before redirecting to edit form). This vulnerability is capable of tricking admin users to duplicate teams.

Database specific
{
    "nvd_published_at": "2021-11-19T11:15:00Z",
    "github_reviewed_at": "2021-11-22T18:43:54Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-352"
    ]
}
References

Affected packages

Packagist / kevinpapst/kimai2

Package

Name
kevinpapst/kimai2
Purl
pkg:composer/kevinpapst/kimai2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.16.2

Affected versions

0.*

0.1
0.2
0.3
0.4
0.5
0.6
0.6.1
0.7
0.8
0.8.1
0.9

1.*

1.0
1.0.1
1.1
1.2
1.3
1.4
1.4.1
1.4.2
1.5
1.6
1.6.1
1.6.2
1.7
1.8
1.9
1.10
1.10.1
1.10.2
1.11
1.11.1
1.12
1.13
1.14
1.14.1
1.14.2
1.14.3
1.15
1.15.1
1.15.2
1.15.3
1.15.4
1.15.5
1.15.6
1.16
1.16.1