CVE-2021-3985 – CVE-2021-3985 is a cross-site scripting (XSS) v... (How to Fix)

Q: What is the severity of CVE-2021-3985?

CVE-2021-3985 has a CVSS score of 9.0 (CRITICAL). CVE-2021-3985 is a cross-site scripting (XSS) vulnerability in Kimai2 time-tracking software that allows attackers to inject malicious scripts into web pages viewed by other users. This affects all Kimai2 users who access the vulnerable interface. Successful exploitation could lead to session hijacking, credential theft, or unauthorized actions.

📋 TL;DR

CVE-2021-3985 is a cross-site scripting (XSS) vulnerability in Kimai2 time-tracking software that allows attackers to inject malicious scripts into web pages viewed by other users. This affects all Kimai2 users who access the vulnerable interface. Successful exploitation could lead to session hijacking, credential theft, or unauthorized actions.

💻 Affected Systems

Products:

Kimai2

Versions: All versions before commit 76e09447c85e762882126b49626a4fe4d93fe8b5

Operating Systems: All platforms running Kimai2

Default Config Vulnerable: ⚠️ Yes

Notes: All Kimai2 deployments using the vulnerable code paths are affected regardless of configuration.

📦 What is this software?

Kimai2 by Kimai

View all CVEs affecting Kimai2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, take over accounts, manipulate time-tracking data, or redirect users to malicious sites.

🟠

Likely Case

Session hijacking leading to unauthorized access to time-tracking data and potential data manipulation.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place.

🌐 Internet-Facing: HIGH - Web applications exposed to the internet are directly vulnerable to XSS attacks from any visitor.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but attack surface is reduced compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

XSS vulnerabilities are commonly exploited and proof-of-concept details are available in public references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 76e09447c85e762882126b49626a4fe4d93fe8b5 or later

Vendor Advisory: https://github.com/kevinpapst/kimai2/commit/76e09447c85e762882126b49626a4fe4d93fe8b5

Restart Required: No

Instructions:

1. Update Kimai2 to the latest version or at least commit 76e09447c85e762882126b49626a4fe4d93fe8b5. 2. Run 'composer install --no-dev' to update dependencies. 3. Clear cache with 'bin/console cache:clear'.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize user inputs before processing.

Implement input validation in affected PHP files to filter script tags and special characters

Content Security Policy

all

Implement CSP headers to restrict script execution sources.

Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server configuration

🧯 If You Can't Patch

Implement a web application firewall (WAF) with XSS protection rules
Disable or restrict access to vulnerable Kimai2 interfaces

🔍 How to Verify

Check if Vulnerable:

Check Kimai2 version against commit hash 76e09447c85e762882126b49626a4fe4d93fe8b5. If running older version, you are vulnerable.

Check Version:

git log --oneline -1

Verify Fix Applied:

Verify current commit hash matches or is newer than 76e09447c85e762882126b49626a4fe4d93fe8b5 using 'git log --oneline -1'.

📡 Detection & Monitoring

Log Indicators:

Unusual POST/GET requests with script tags or JavaScript payloads in Kimai2 access logs
Multiple failed XSS attempts in web server logs

Network Indicators:

HTTP requests containing <script> tags or JavaScript code to Kimai2 endpoints
Unexpected redirects from Kimai2 pages

SIEM Query:

source="kimai_access.log" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2021-3985

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

Published: December 1, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/kevinpapst/kimai2/commit/76e09447c85e762882126b49626a4fe4d93fe8b5 Patch,Third Party Advisory
https://huntr.dev/bounties/89d6c3de-efbd-4354-8cc8-46e999e4c5a4 Exploit,Patch,Third Party Advisory
https://github.com/kevinpapst/kimai2/commit/76e09447c85e762882126b49626a4fe4d93fe8b5 Patch,Third Party Advisory
https://huntr.dev/bounties/89d6c3de-efbd-4354-8cc8-46e999e4c5a4 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3985, you might also want to check these: