Executive Summary

This vulnerability exists in Kimai versions 2.27.0 to 2.53.0, where any user with the ROLE_USER role can create a tag with a formula string (for example, =SUM(54+51)) as its name via the POST /api/tags endpoint and assign it to a timesheet.

When an administrator exports timesheets to XLSX format, the function ArrayFormatter.formatValue() joins tag names without sanitizing them. OpenSpout then interprets any string starting with = as a formula cell, embedding the formula in the XLSX file.

When the exported file is opened in Excel or LibreOffice Calc, the formula executes automatically, potentially allowing malicious code execution or other harmful effects.

The root cause is that tag name validation does not block formula trigger characters like =, +, -, or @, and the sanitizeDDE() function is not called.

Useful 0 Not Useful 0

Impact Analysis

The impact of this vulnerability is significant because a single malicious tag created by any user can affect all future timesheet exports until the tag is deleted.

When an administrator exports timesheets to XLSX, the malicious formula embedded in the tag name will execute automatically upon opening the file in Excel or LibreOffice Calc.

This can lead to unintended code execution on the administrator's workstation, potentially compromising system security or data integrity.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if any tags created by users with ROLE_USER contain formula strings starting with characters like =, +, -, or @. Specifically, you can inspect tags created via the POST /api/tags endpoint for names that resemble spreadsheet formulas (e.g., =SUM(54+51)).

To detect such tags, you can query the database or use API calls to list tags and filter those starting with formula trigger characters.

• Use an API call or database query to list all tags and check for names starting with '=' or other formula characters.
• Example command (assuming access to the database):
• SQL: SELECT * FROM tags WHERE name LIKE '=%%' OR name LIKE '+%%' OR name LIKE '-%%' OR name LIKE '@%%';
• Alternatively, use curl to fetch tags via API and grep for suspicious names:
• curl -X GET https://your-kimai-instance/api/tags | grep '"name":"='

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include preventing users from creating tags with names starting with formula trigger characters such as =, +, -, or @.

You should update Kimai to version 2.54.0 or later, where this issue has been patched by disallowing = in tag names and using OpenSpout's TextCell for all string values to avoid formula execution.

Until you can update, manually audit and delete any tags with formula-like names to prevent malicious formulas from being included in exported XLSX files.

• Upgrade Kimai to version 2.54.0 or later.
• Audit and remove any tags starting with =, +, -, or @.
• Educate administrators to be cautious when exporting timesheets to XLSX if suspicious tags exist.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not explicitly mention the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0