VDB
EN
LOW

GHSA-j5mc-p8qg-39j7

Kimai Favorite Timesheet Add and Remove Endpoints Allows Cross-User Bookmark Manipulation

상세

### Summary

Kimai 2.56.0 contains an authenticated improper authorization / IDOR vulnerability in the favorite timesheet add and remove endpoints. A low-privileged user who knows another user's `timesheet.id` can add that record to, or remove it from, the victim's `favorite/recent` bookmark list. This allows cross-user manipulation of per-user favorite state without administrative privileges.

### Details

The issue affects the following routes:

- `GET /en/favorite/timesheet/add/{id}` - `GET /en/favorite/timesheet/remove/{id}`

Both endpoints accept a user-controlled timesheet identifier and only require the caller to hold the generic `start_own_timesheet` permission. They do not verify that the referenced `Timesheet` object belongs to the currently authenticated user.

- In `src/Controller/FavoriteController.php`, the controller methods accept a `Timesheet` object directly and forward it to the favorite service. - The root cause becomes more obvious in `src/Timesheet/FavoriteRecordService.php`. The bookmark owner is derived from `$timesheet->getUser()` instead of the current session user. - Because of this design, any authenticated user who can reference another user's timesheet ID can modify the victim's `favorite/recent` bookmark data.

*A PoC was provided, but removed for security reasons.*

### Impact

This vulnerability allows any authenticated low-privileged user to manipulate another user's favorite bookmark state across accounts. An attacker can inject arbitrary victim-owned timesheet entries into the victim's quick-entry workflow, remove existing favorites, and repeatedly disturb the victim's normal timesheet usage without needing administrative privileges.

The issue does not directly disclose sensitive data, but it is a real cross-user business-state tampering vulnerability with clear integrity impact. Because the add and remove endpoints can be combined, an attacker can reliably insert, remove, and reorder entries in another user's `favorite/recent` list.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Packagist / kimai/kimai
최초 영향 버전: 0 수정 버전: 2.57.0
수정 composer require kimai/kimai:^2.57.0

참고