CVE-2019-25317
Persistent XSS in Kimai 2 Timesheet Descriptions Enables Script Injection
Publication date: 2026-02-11
Last updated on: 2026-02-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kimai | kimai | to 1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25317 is a persistent cross-site scripting (XSS) vulnerability in Kimai 2, a PHP-based time-tracking web application. It allows attackers to inject malicious scripts into the timesheet description field. When other users view the affected timesheet page, the injected SVG-based JavaScript payload executes, enabling arbitrary code execution in their browsers.
The vulnerability arises because the application does not properly sanitize or handle the description input, allowing attackers to embed malicious SVG elements that trigger JavaScript execution when the page is loaded.
How can this vulnerability impact me? :
This vulnerability can impact users by allowing attackers to execute arbitrary JavaScript code in the context of authenticated users of the Kimai 2 application.
- Attackers can hijack user sessions.
- They can perform actions on behalf of users, potentially leading to unauthorized access or data manipulation.
- It can lead to defacement of the application interface or injection of malicious content.
- Overall, it compromises the integrity and security of the application and its users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to inject a known XSS payload into the timesheet description field of the Kimai 2 application and observing if the payload executes when the page is loaded or refreshed.'}, {'type': 'list_item', 'content': 'Access the timesheet creation page at `/index.php/en/timesheet/create`.'}, {'type': 'list_item', 'content': 'Submit a POST request with a malicious payload in the description field, for example: `"><svg/onload=alert(\'xss\')>`.'}, {'type': 'list_item', 'content': 'Observe if a JavaScript alert or any script execution occurs when the page is refreshed or viewed by other users.'}, {'type': 'paragraph', 'content': 'A sample curl command to test this could be:\ncurl -X POST -d "description=\\"><svg/onload=alert(\'xss\')>" https://your-kimai-instance/index.php/en/timesheet/create'}] [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Kimai 2 to a version that includes the fix for this vulnerability.
The vulnerability was fixed by sanitizing or properly handling the timesheet description input to prevent malicious scripts from executing.
- Apply the fix introduced in the GitHub pull request #962 merged on July 14, 2019.
- Upgrade to the Kimai 2 version that includes the 1.1 milestone release or later where this fix is included.
Until the update can be applied, restrict access to the timesheet description input field to trusted users only and monitor for suspicious inputs.