Home > Vulnerability Database > CVE-2024-29200

Mend.io Vulnerability Database

CVE-2024-29200

Good to know:

Date: March 28, 2024

Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This vulnerability is fixed in 2.13.0.

Language: PHP

Severity Score

6.8

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-29200

Url: https://github.com/kimai/kimai

Url: https://github.com/kimai/kimai/releases/tag/2.13.0

Url: https://github.com/kimai/kimai/security/advisories/GHSA-cj3c-5xpm-cx94

Url: https://www.mend.io/vulnerability-database/CVE-2024-29200

Severity Score

6.8

Weakness Type (CWE)

Insufficient Granularity of Access Control

CWE-1220

Top Fix

Upgrade Version

Upgrade to version 2.13.0

Learn More

CVSS v3.1

Base Score:	6.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-29200

Good to know:

Date: March 28, 2024

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?