Kimai Team API Object-Level Authorization Vulnerability

A vulnerability exists in Kimai's Team API endpoints prior to version 2.54.0, where incorrect permission attributes allow users with the 'edit_team' permission to modify any team. This flaw arises because the endpoints use 'edit_team' as a single argument, which the Symfony TeamVoter does not recognize for entity-level authorization. As a result, ownership checks are bypassed, enabling unauthorized modifications to team memberships and assignments.

Impact

Exploitation of this vulnerability allows users with the 'edit_team' permission to alter any team's membership and project or activity assignments, regardless of their actual role or affiliation with the team.

Reproduction

To reproduce this vulnerability, authenticate as a user with the 'edit_team' permission who is not a member of the target team. Then, send a POST request to the Team API endpoint for adding a member to the team. The absence of the required entity-level authorization check will result in a 200 OK response, successfully adding the user to the team, contrary to the expected 403 Forbidden response.

Remediation

Users should update to Kimai version 2.54.0 or later, where this vulnerability has been patched.