Publish Advisories

GHSA-cj3c-5xpm-cx94
GHSA-vm8q-m57g-pff3
GHSA-6f3v-2r2j-2rpr
GHSA-7g2v-jj9q-g3rg

Author: advisory-database[bot]

advisories/github-reviewed/2024/03/GHSA-cj3c-5xpm-cx94/GHSA-cj3c-5xpm-cx94.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cj3c-5xpm-cx94",
-  "modified": "2024-03-29T19:05:49Z",
+  "modified": "2025-10-13T15:42:26Z",
   "published": "2024-03-29T19:05:49Z",
   "aliases": [
     "CVE-2024-29200"
   ],
   "summary": "Kimai API returns timesheet entries a user should not be authorized to view",
-  "details": "### Summary\nThe permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API.\n\n### Details\nWhen setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not.\n\nExample:\nThere are projects P1 and P2, Teams T1 and T2, users U1 and U2 and Timesheet entries E1 and E2. U1 is team leader of team T1 and has access to P1. U2 is in Team T2 and has access to both P1 and P2. U2 creates E1 for P1 and E2 for P2.\nIn the UI, U1 with `view _other_timesheet` perms sees E1 as he is a part of T1 that has access to P1.\nIn the API, however, he has access to E1 **and E2**.\n\nAdditionally, if U1 is not a team leader T1, he does not see any timesheet from a user other than himself in the UI, but still all timesheets in the API.\n\n### PoC\n- Give a user `view_other_timesheet` permission\n- The result of the UI and the API call to `/api/timesheets?user=all` differs in the data that is being returned\n\nCurl command:\n```bash\ncurl -X 'GET' \\\n  'https://kimai.instance.com/api/timesheets?user=all' \\\n  -H 'accept: application/json' \\\n  -H 'X-AUTH-USER: username' \\\n  -H 'X-AUTH-TOKEN: api_token'\n ```\n\n### Impact\nThis is at least an insufficient granularity of access control weakness. People can see timesheet entries they are not supposed to.\nThis greatly affects the confidentiality of timesheet entries. \n\nRestricting API access to administrators is also not a valid solution, as API access is needed, for example, to use the mobile app.\n",
+  "details": "### Summary\nThe permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API.\n\n### Details\nWhen setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not.\n\nExample:\nThere are projects P1 and P2, Teams T1 and T2, users U1 and U2 and Timesheet entries E1 and E2. U1 is team leader of team T1 and has access to P1. U2 is in Team T2 and has access to both P1 and P2. U2 creates E1 for P1 and E2 for P2.\nIn the UI, U1 with `view _other_timesheet` perms sees E1 as he is a part of T1 that has access to P1.\nIn the API, however, he has access to E1 **and E2**.\n\nAdditionally, if U1 is not a team leader T1, he does not see any timesheet from a user other than himself in the UI, but still all timesheets in the API.\n\n### PoC\n- Give a user `view_other_timesheet` permission\n- The result of the UI and the API call to `/api/timesheets?user=all` differs in the data that is being returned\n\nCurl command:\n```bash\ncurl -X 'GET' \\\n  'https://kimai.instance.com/api/timesheets?user=all' \\\n  -H 'accept: application/json' \\\n  -H 'X-AUTH-USER: username' \\\n  -H 'X-AUTH-TOKEN: api_token'\n ```\n\n### Impact\nThis is at least an insufficient granularity of access control weakness. People can see timesheet entries they are not supposed to.\nThis greatly affects the confidentiality of timesheet entries. \n\nRestricting API access to administrators is also not a valid solution, as API access is needed, for example, to use the mobile app.",
   "severity": [
     {
       "type": "CVSS_V3",

advisories/github-reviewed/2024/03/GHSA-vm8q-m57g-pff3/GHSA-vm8q-m57g-pff3.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vm8q-m57g-pff3",
-  "modified": "2024-07-03T21:24:21Z",
+  "modified": "2025-10-13T15:42:12Z",
   "published": "2024-03-15T21:30:43Z",
   "aliases": [
     "CVE-2024-27351"
@@ -18,7 +18,7 @@
     {
       "package": {
         "ecosystem": "PyPI",
-        "name": "django"
+        "name": "Django"
       },
       "ranges": [
         {
@@ -37,7 +37,7 @@
     {
       "package": {
         "ecosystem": "PyPI",
-        "name": "django"
+        "name": "Django"
       },
       "ranges": [
         {
@@ -56,7 +56,7 @@
     {
       "package": {
         "ecosystem": "PyPI",
-        "name": "django"
+        "name": "Django"
       },
       "ranges": [
         {

advisories/github-reviewed/2024/05/GHSA-6f3v-2r2j-2rpr/GHSA-6f3v-2r2j-2rpr.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6f3v-2r2j-2rpr",
-  "modified": "2024-05-07T19:59:29Z",
+  "modified": "2025-10-13T15:43:47Z",
   "published": "2024-05-07T18:30:33Z",
   "aliases": [
     "CVE-2024-4596"

advisories/github-reviewed/2025/02/GHSA-7g2v-jj9q-g3rg/GHSA-7g2v-jj9q-g3rg.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7g2v-jj9q-g3rg",
-  "modified": "2025-02-18T15:04:49Z",
+  "modified": "2025-10-13T15:44:33Z",
   "published": "2025-02-12T19:18:35Z",
   "aliases": [
     "CVE-2025-25184"
   ],
   "summary": "Possible Log Injection in Rack::CommonLogger",
   "details": "## Summary\n\n`Rack::CommonLogger` can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs.\n\n## Details\n\nWhen a user provides the authorization credentials via `Rack::Auth::Basic`, if success, the username will be put in `env['REMOTE_USER']` and later be used by `Rack::CommonLogger` for logging purposes.\n\nThe issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile.\n\n## Impact\n\nAttackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files.\n\n## Mitigation\n\n- Update to the latest version of Rack.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"