CVE-2019-25317
Awaiting Analysis Awaiting Analysis - Queue
Persistent XSS in Kimai 2 Timesheet Descriptions Enables Script Injection

Publication date: 2026-02-11

Last updated on: 2026-02-19

Assigner: VulnCheck

Description
Kimai 2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into timesheet descriptions. Attackers can insert SVG-based XSS payloads in the description field to execute arbitrary JavaScript when the page is loaded and viewed by other users.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-11
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-11
EPSS Evaluated
2026-06-14
NVD
CVE-2019-25317
EUVD
EUVD-2019-19417
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kimai kimai to 1.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2019-25317 is a persistent cross-site scripting (XSS) vulnerability in Kimai 2, a PHP-based time-tracking web application. It allows attackers to inject malicious scripts into the timesheet description field. When other users view the affected timesheet page, the injected SVG-based JavaScript payload executes, enabling arbitrary code execution in their browsers.

The vulnerability arises because the application does not properly sanitize or handle the description input, allowing attackers to embed malicious SVG elements that trigger JavaScript execution when the page is loaded.

Impact Analysis

This vulnerability can impact users by allowing attackers to execute arbitrary JavaScript code in the context of authenticated users of the Kimai 2 application.

  • Attackers can hijack user sessions.
  • They can perform actions on behalf of users, potentially leading to unauthorized access or data manipulation.
  • It can lead to defacement of the application interface or injection of malicious content.
  • Overall, it compromises the integrity and security of the application and its users.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to inject a known XSS payload into the timesheet description field of the Kimai 2 application and observing if the payload executes when the page is loaded or refreshed.'}, {'type': 'list_item', 'content': 'Access the timesheet creation page at `/index.php/en/timesheet/create`.'}, {'type': 'list_item', 'content': 'Submit a POST request with a malicious payload in the description field, for example: `"><svg/onload=alert(\'xss\')>`.'}, {'type': 'list_item', 'content': 'Observe if a JavaScript alert or any script execution occurs when the page is refreshed or viewed by other users.'}, {'type': 'paragraph', 'content': 'A sample curl command to test this could be:\ncurl -X POST -d "description=\\"><svg/onload=alert(\'xss\')>" https://your-kimai-instance/index.php/en/timesheet/create'}] [3]

Mitigation Strategies

The immediate mitigation step is to update Kimai 2 to a version that includes the fix for this vulnerability.

The vulnerability was fixed by sanitizing or properly handling the timesheet description input to prevent malicious scripts from executing.

  • Apply the fix introduced in the GitHub pull request #962 merged on July 14, 2019.
  • Upgrade to the Kimai 2 version that includes the 1.1 milestone release or later where this fix is included.

Until the update can be applied, restrict access to the timesheet description input field to trusted users only and monitor for suspicious inputs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25317. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart