Kimai 2 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into timesheet descriptions. Attackers can insert SVG-based XSS payloads in the description field to execute arbitrary JavaScript when the page is loaded and viewed by other users.
Security readout for executives and security teams
Plain-English summary
Kimai 2 has a stored cross-site scripting issue in timesheet descriptions. A logged-in attacker can save malicious content that runs in another user’s browser when viewed. This can expose session data or alter actions within the application context, but sources rate it medium and do not show confirmed active exploitation.
Executive priority
Treat as a moderate-priority application security fix. Prioritize faster if Kimai is internet-facing, used by many employees, or accessed by administrators who manage sensitive time, billing, or customer data.
Technical view
CVE-2019-25317 is CWE-79 persistent XSS in Kimai 2 timesheet description handling. The CVSS 3.1 score is 6.4, with network access, low complexity, low privileges required, changed scope, and low confidentiality and integrity impact. A public Exploit-DB entry and a GitHub pull request for a fix are cited.
Likely exposure
Organizations running Kimai 2, especially internet-accessible or broadly used internal time-tracking deployments, may be exposed if users can create or edit timesheet descriptions.
Exploitation context
The attacker needs application-level privileges to enter timesheet descriptions. Execution occurs when another user loads affected content. The source bundle includes a public exploit reference, but CISA KEV is false and no source confirms active exploitation.
Researcher notes
Evidence supports stored XSS in Kimai 2 via timesheet descriptions and a public exploit listing. Exact affected and fixed version boundaries are not provided in the source bundle, so validation should focus on code lineage, PR #962 status, and vendor guidance.
Mitigation direction
Identify all Kimai 2 deployments and their current versions.
Review the vendor repository and PR #962 for the applicable fix.
Upgrade or patch according to Kimai project guidance.
Restrict timesheet editing to trusted users until remediated.
Monitor for suspicious script-like content in timesheet descriptions.
Validation and detection
Confirm whether the environment runs affected Kimai 2 code.
Verify the fix associated with GitHub PR #962 is applied.
Review timesheet descriptions for unexpected embedded markup or script behavior.
Check web logs for unusual access around timesheet viewing pages.
Retest safely in a non-production environment after patching.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-79 · source CWE mapping
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.