Miggo Logo

CVE-2019-15481: Kimai v2 is vulnerable to Cross-Site Scripting (XSS)

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.45059%
Published
5/24/2022
Updated
9/20/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
kevinpapst/kimai2composer< 1.11.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The XSS vulnerability was patched in commit a0e8aa3 via PR #962, which modified MarkdownExtension.php. The codecov report shows this file was impacted, and release notes explicitly mention this fix addresses timesheet description XSS. As Markdown processing functions are common XSS vectors when unescaped HTML is allowed, and the patch likely added sanitization or safe rendering flags to markdownToHtml(), this function is the clear entry point for the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Kim*i v* ***or* *.* **s XSS vi* * tim*s***t **s*ription.

Reasoning

T** XSS vuln*r**ility w*s p*t**** in *ommit ******* vi* PR #***, w*i** mo*i*i** `M*rk*own*xt*nsion.p*p`. T** *o***ov r*port s*ows t*is *il* w*s imp**t**, *n* r*l**s* not*s *xpli*itly m*ntion t*is *ix ***r*ss*s tim*s***t **s*ription XSS. *s M*rk*own p