software

CVE-2019-25317: Time is Money, and XSS: Dissecting CVE-2019-25317 in Kimai 2

Published: (February 11, 2026 at 02:40 PM EST)
2 min read
Source: Dev.to

Source: Dev.to

Vulnerability Overview

  • Vulnerability ID: CVE‑2019‑25317
  • CWE ID: CWE‑79 (Improper Neutralization of Input During Web Page Generation)
  • CVSS v3.1 Score: 6.4 (Medium)
  • Published: 2026‑02‑11
  • Affected Versions: Kimai 2 ≤ 1.0.1 (fixed in 1.1)

Kimai 2 is a popular open‑source time‑tracking application. Versions prior to 1.1 contain a stored cross‑site scripting (XSS) flaw in the timesheet description field. The application rendered Markdown without sanitising HTML, allowing an authenticated user to inject arbitrary JavaScript. The payload executes when an administrator views the affected timesheet, potentially leading to session hijacking.

Technical Details

  • Attack Vector: Network (stored)
  • Privileges Required: Low (authenticated user)
  • Impact: Confidentiality & integrity (session hijacking)
  • Exploit Status: PoC available (Exploit‑DB #47286)

Vulnerable Code Snippet

- return $this->markdown->toHtml($content, true);
+ return $this->markdown->toHtml($content, false);

The second argument controls whether raw HTML is allowed in the rendered output. Setting it to false disables HTML injection.

Exploit Overview

The proof‑of‑concept posted on Exploit‑DB demonstrates a persistent XSS payload injected via the description column of the timesheet table. When an admin opens the corresponding timesheet, the malicious script runs in the admin’s browser, enabling actions such as:

  • Session cookie theft
  • Arbitrary request execution on behalf of the admin

Remediation & Mitigation

  1. Upgrade Kimai 2 to version 1.1 or later.

  2. Sanitise existing data – scan the description column for suspicious payloads and clean or remove them.

  3. Disable HTML in Markdown – ensure the Markdown renderer is called with the HTML‑allow flag set to false (as shown in the diff above).

  4. Implement a Content Security Policy (CSP) to restrict script sources, e.g.:

    Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.cdn.com;

  5. Apply additional defence‑in‑depth measures such as input sanitisation, output encoding, and regular security reviews.

References

  • Kimai 2 Pull Request #962 (fixing the XSS issue)
  • Exploit‑DB Entry 47286 – Persistent XSS PoC via Timesheet Description
  • Full CVE‑2019‑25317 report (available on the vendor’s website)
0 views
#software #programming #community
View source
Share:
Back to Blog

Related posts

Read more »