VDB
KO
LOW

GHSA-m492-gv72-xvxj

Kimai Password Reset Link Remains Valid After Password Change

Details

### Summary

The LoginLink signature used for password reset URLs covers only the user's `id` — it does not include the password hash. After a user clicks a reset link and successfully changes their password, the same link remains valid for up to 2 additional uses within a 1-hour window. Anyone who intercepts or caches the original link can log in as the user even after the password has been changed.

### Details

`config/packages/security.yaml:73-78` configures the login link:

```yaml login_link: check_route: link_login_check signature_properties: ['id'] lifetime: 900 max_uses: 3 ```

The HMAC signature covers only `id`, not `password`, `username`, or `email`. The effective lifetime for password reset links is extended to 3600 seconds by `PasswordResetController.php:106-119` via `getPasswordResetRetryLifetime()`.

After the first successful use (where the user sets a new password), the `__pw_reset__` session flag is cleared by `WizardController.php:105`. Subsequent uses of the same link bypass the forced-password-reset wizard and grant a normal authenticated session.

Symfony's `LoginLinkHandler::consumeLoginLink` decrements a per-link counter but allows up to 3 total uses. Re-issuing a new link does not invalidate the old one.

The same vulnerability affects `UserLoginLinkCommand.php:77`, which generates admin-on-demand login links with the same signature scheme.

### PoC

**Step 1 — Generate a password reset link:**

```bash docker exec <kimai_container> bin/console kimai:user:login-link <username> ```

**Step 2 — Use the link to log in and change the password.**

**Step 3 — Open the same link in a different browser or incognito session.**

The link logs the attacker in as a fully authenticated user, despite the password having been changed in Step 2.

**Step 4 — The link works a third time (3 total uses within 1 hour).**

### Impact

A password reset link that leaks through any of the following channels remains a valid authentication credential even after the legitimate user has changed their password: corporate mail-relay scanners that pre-click links (Microsoft Defender ATP, Mimecast, Barracuda), shared inboxes, browser history sync across devices, HTTP referrer headers, or proxy/WAF logs. The user believes they have secured their account by setting a new password, but the leaked link still grants full access for up to 2 additional uses within the hour.

# Solution

Login links now also use the `password` hash for generating the signature, which will immediately expire the link after the user changed the password.

Read <https://www.kimai.org/en/security/ghsa-m492-gv72-xvxj> for more information.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / kimai/kimai
Introduced in: 0 Fixed in: 2.58.0
Fix composer require kimai/kimai:^2.58.0

References