Cross-site Scripting (XSS) - Stored in kevinpapst/kimai2


Reported on

Nov 18th 2021


Cross site scripting vulnerability in name field on customer edit form

Proof of Concept

place this payload in customer name field    and save  "><iMg SrC="x" oNeRRor="alert(1);">

# Impact

This vulnerability is capable of stolen the user session
We are processing your report and will contact the kevinpapst/kimai2 team within 24 hours. a year ago
We have contacted a member of the kevinpapst/kimai2 team and are waiting to hear back a year ago
Kevin Papst validated this vulnerability a year ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
Kevin Papst
a year ago


I worked on that before and thought it was fixed, but seems the Javascript was still broken. Thanks for the report @Asura-N !

Kevin Papst submitted a
a year ago
Kevin Papst marked this as fixed in 1.16.3 with commit 89bfa8 a year ago
Kevin Papst has been awarded the fix bounty
This vulnerability will not receive a CVE
Jamie Slome
a year ago


CVE published! 🎊

to join this conversation