CVE-2019-25317 – Kimai 2 contains a persistent cross-site script... (How to Fix)

Q: What is the severity of CVE-2019-25317?

CVE-2019-25317 has a CVSS score of 6.4 (MEDIUM). Kimai 2 contains a persistent cross-site scripting (XSS) vulnerability that allows attackers to inject malicious SVG scripts into timesheet descriptions. When other users view these manipulated timesheets, arbitrary JavaScript executes in their browsers. This affects all Kimai 2 instances with vulnerable versions.

📋 TL;DR

Kimai 2 contains a persistent cross-site scripting (XSS) vulnerability that allows attackers to inject malicious SVG scripts into timesheet descriptions. When other users view these manipulated timesheets, arbitrary JavaScript executes in their browsers. This affects all Kimai 2 instances with vulnerable versions.

💻 Affected Systems

Products:

Kimai 2

Versions: Versions prior to 1.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All Kimai 2 installations with vulnerable versions are affected regardless of configuration.

📦 What is this software?

Kimai by Kimai

View all CVEs affecting Kimai →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized actions performed in the context of authenticated users.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, though some data integrity issues may persist.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to create/modify timesheets. Public exploit code exists in Exploit-DB.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3 and later

Vendor Advisory: https://github.com/kevinpapst/kimai2/pull/962

Restart Required: No

Instructions:

1. Update Kimai 2 to version 1.3 or later. 2. Run database migrations if required. 3. Clear application cache.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side filtering to sanitize SVG content in timesheet descriptions

Implement custom validation in TimesheetController.php to strip SVG tags

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SVG-based XSS payloads
Restrict timesheet creation/modification permissions to trusted users only

🔍 How to Verify

Check if Vulnerable:

Check Kimai version via admin panel or composer.json. Versions below 1.3 are vulnerable.

Check Version:

php bin/console kimai:version

Verify Fix Applied:

Test by attempting to insert SVG with script tags in timesheet description - should be sanitized or rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual timesheet modifications
Multiple failed XSS attempts in web logs

Network Indicators:

Unexpected external requests from Kimai server

SIEM Query:

source="kimai.log" AND ("svg" OR "script" OR "onload")

📊 Metadata

CVE ID: CVE-2019-25317

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.01% exploit probability (0.8th percentile)

Published: February 11, 2026

Last Updated: February 19, 2026

🔗 References

https://github.com/kevinpapst/kimai2 Product
https://github.com/kevinpapst/kimai2/pull/962 Issue Tracking
https://www.exploit-db.com/exploits/47286 Exploit,Third Party Advisory,VDB Entry
https://www.vulncheck.com/advisories/kimai-persistent-cross-site-scripting-xss Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25317, you might also want to check these: