Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2


Reported on

Oct 16th 2021


kevinpapst / kimai delete functionality is vulnerable to Cross site request forgery (csrf) attack

Proof of Concept

// PoC.js

1. login to admin account

2. goto invoice --> go down to preview invoices  --> click save all  it will redirect to this page ->

3. click delete any invoice and capture the  request through burp interceptor

4. here burp id vulnerable to CSRF ATTACK 

<!DOCTYPE html>

    <form method="GET" action="">

        <input type="text" name="PHPSESSID" value="begjept58rut8ptt4r0sgc4asi">

        <input type="submit" value="Send">




# Impact

In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally. For example, this might be to change the email address on their account, to change their password, or to make a funds transfer
We have contacted a member of the kevinpapst/kimai2 team and are waiting to hear back a year ago
Asura-N modified the report
a year ago
Kevin Papst validated this vulnerability a year ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
Kevin Papst
a year ago


@asura-n thanks for posting and sorry for the delay!

a year ago


Thanks @kevin papst

Kevin Papst submitted a
a year ago
Kevin Papst confirmed that a fix has been merged on 1d32e4 a year ago
Kevin Papst has been awarded the fix bounty
to join this conversation