CVE-2019-15481: Kimai v2 is vulnerable to Cross-Site Scripting (XSS)
6.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.45059%
CWE
Published
5/24/2022
Updated
9/20/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
kevinpapst/kimai2 | composer | < 1.1 | 1.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The XSS vulnerability was patched in commit a0e8aa3 via PR #962, which modified MarkdownExtension.php
. The codecov report shows this file was impacted, and release notes explicitly mention this fix addresses timesheet description XSS. As Markdown processing functions are common XSS vectors when unescaped HTML is allowed, and the patch likely added sanitization or safe rendering flags to markdownToHtml()
, this function is the clear entry point for the vulnerability.