Kimai Formula Injection Vulnerability in Tag Names Allows Malicious Excel Exports

A formula injection vulnerability has been identified in Kimai, an open-source time tracking application, affecting versions 2.27.0 prior to 2.54.0. Any user with the ROLE_USER can create a tag containing a formula string, such as '=SUM(54+51)', and assign it to a timesheet. When an admin exports timesheets to XLSX, the application does not sanitize the tag names, allowing Excel to evaluate the injected formulas. This issue has been patched in version 2.54.0.

Impact

Exploitation of this vulnerability allows any ROLE_USER to inject a formula that is executed on the workstation of any user who exports and opens the timesheet data in Excel. Once a malicious tag is created, it affects all future exports for all users and date ranges until the tag is deleted.

Reproduction

To reproduce this vulnerability, log in as a user with the ROLE_USER. Create a tag with a formula string as its name, such as '=SUM(54+51)', and assign it to a timesheet. Then, have an admin export the timesheets to Excel via the '/en/export/' endpoint. When the exported file is opened in Excel, the injected formula will be evaluated.

Remediation

Users can update to Kimai version 2.54.0 or later, where this vulnerability has been fixed.