Kimai: API invoice endpoint missing customer-level access control (IDOR)

Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can read all invoices in the system, including those belonging to customers assigned to other teams. This issue has been patched in version 2.51.0.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

授权机制不恰当

kimai 授权问题漏洞

kimai是kimai个人开发者的一个基于网络的多用户时间跟踪应用程序。 kimai 2.51.0之前版本存在授权问题漏洞，该漏洞源于仅检查基于角色的view_invoice权限但未验证请求用户对发票客户的访问权限，可能导致具有ROLE_TEAMLEAD角色的用户读取系统中所有发票。

N/A

N/A