Miggo Logo
Miggo Vulnerability Database
CVE-2021-3992

CVE-2021-3992: kimai2 is vulnerable to Improper Access Control

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-3992
GHSA ID
GHSA-9w8f-7wgr-2h7g
EPSS Score
0.45419%
CWE
CWE-284
Published
12/3/2021
Updated
1/30/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
kevinpapst/kimai2composer< 1.16.31.16.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from three key issues:

  1. In InvoiceController::previewAction, the original route accepted user-controlled template ID and customer ID parameters with insufficient permission checks (only 'view_invoice'), allowing parameter manipulation to access unauthorized data.
  2. CustomerRepository allowed customer ID injection in queries through form parameters without validation of the user's right to access those customers.
  3. CustomerVoter lacked specific team membership checks for customer access until the 'access' permission was implemented. The patch added multiple security annotations (@Security), team checks in the voter, and parameter validation controls to properly enforce access restrictions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

kim*i* is vuln*r**l* to Improp*r ****ss *ontrol

Reasoning

T** vuln*r**ility st*mm** *rom t*r** k*y issu*s: *. In Invoi***ontroll*r::pr*vi*w**tion, t** ori*in*l rout* ****pt** us*r-*ontroll** t*mpl*t* I* *n* *ustom*r I* p*r*m*t*rs wit* insu**i*i*nt p*rmission ****ks (only 'vi*w_invoi**'), *llowin* p*r*m*t*r