CVE-2023-53957

Kimai 1.30.10 SameSite Cookie Vulnerability Session Hijacking

CVSS 8.5 HIGHEPSS 0.5%CWE-1275

In short

Kimai 1.30.10 fails to properly protect session cookies, allowing attackers to steal them through a trick that makes victims run malicious code. This lets attackers hijack user sessions and impersonate legitimate users.

Technical detail

The application lacks proper SameSite cookie attributes, enabling cross-site request forgery (CSRF) attacks where victims are lured to execute crafted PHP scripts that capture session cookies. An attacker can leverage this to perform unauthorized actions on behalf of authenticated users without additional authentication.

Summary generated and translated by AI from the official description.

Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session hijacking.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected products

Kimai · Kimai

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/kimai/kimai/releases/tag/1.30.10 https://www.exploit-db.com/exploits/51278 https://www.vulncheck.com/advisories/kimai-samesite-cookie-vulnerability-session-hijacking