Kimai User Preferences API Privilege Escalation Vulnerability

A vulnerability in the Kimai User Preferences API endpoint allows authenticated users to arbitrarily modify restricted financial attributes, specifically the 'hourly_rate' and 'internal_rate' fields. This issue affects Kimai versions through 2.52.0. The vulnerability arises because the API endpoint applies submitted preference values without verifying the 'isEnabled()' flag on preference objects. Although the 'hourly_rate' and 'internal_rate' fields are correctly disabled for users without the 'hourly-rate' role permission, the API ignores this restriction, allowing unauthorized modifications. As a result, any authenticated user can tamper with their billing rates, leading to unauthorized changes in invoices and timesheet calculations.

Impact

Exploitation of this vulnerability allows standard users to manipulate their own billing rates, causing fraudulent invoices and distorted timesheet exports. This unauthorized financial tampering can disrupt the application's core financial calculations.

Reproduction

To reproduce this vulnerability, log into Kimai as a standard user without 'hourly-rate' role permissions. Capture the session cookies and send a PATCH request to the User Preferences API endpoint, including the 'hourly_rate' and 'internal_rate' fields with arbitrary values. The server will respond with a 200 OK status, indicating that the values have been successfully saved, despite the lack of proper authorization. This can be verified by checking the user's profile or logging new timesheets, which will reflect the modified rates.

Remediation

Users can update to Kimai version 2.53.0, where this vulnerability has been fixed.