Kimai Stored Cross-Site Scripting Vulnerability in Team Member Widget

A stored cross-site scripting vulnerability has been identified in Kimai, an open-source time tracking application, affecting versions 1.16.3 prior to 2.52.0. The issue arises from the escapeForHtml() function in KimaiEscape.js, which fails to properly escape double and single quote characters. This flaw allows HTML attribute injection when a user's profile alias is inserted into an HTML attribute context via the team member form prototype and rendered through innerHTML. An authenticated user with ROLE_USER privileges can exploit this by injecting a malicious alias that executes JavaScript in the browser of any administrator viewing the team form, leading to privilege escalation.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where the injected payload persists in the database and executes in the context of an administrator's browser session.

Reproduction

To reproduce this vulnerability, an authenticated user with ROLE_USER privileges can enter a profile alias that includes a JavaScript payload into the team member form. Once saved, this alias is injected into an HTML attribute without proper escaping. When an administrator views the team form, the JavaScript payload executes in their browser.

Remediation

Users can update to Kimai version 2.53.0, which addresses this vulnerability by properly escaping quote characters in user attributes.