Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-19825: GitHub - kimai/kimai: Kimai is a web-based multi-user time-tracking application. Works great for everyone: freelancers, companies, organizations - everyone can track their times, generate reports, cre

Cross Site Scripting (XSS) vulnerability in kevinpapst kimai2 1.30.0 in /src/Twig/Runtime/MarkdownExtension.php, allows attackers to gain escalated privileges.

CVE
#sql#xss#vulnerability#web#mac#js#git#php#ldap#auth#docker

Kimai - time-tracker

Kimai is a professional grade time-tracking application, free and open-source. It handles use-cases of freelancers as well as companies with dozens or hundreds of users. Kimai was build to track your project times and ships with many advanced features, including but not limited to:

JSON API, invoicing, data exports, multi-timer and punch-in punch-out mode, tagging, multi-user - multi-timezones - multi-language (over 30 translations existing!), authentication via SAML/LDAP/Database, two-factor authentication (2FA) with TOTP, customizable role and team permissions, responsive design, user/customer/project specific rates, advanced search & filtering, money and time budgets, advanced reporting, support for plugins and so much more.

Versions

There are two versions of Kimai existing:

  • Version 1 — compatible with PHP 7.4, which is in maintenance mode since 2023
  • Version 2 — stable and “almost released” (waiting for some major plugins, which are not yet migrated)

Links

  • Home — Kimai project homepage
  • Blog — Read the latest news
  • Documentation — Learn how to use Kimai

Requirements

  • PHP 8.1 minimum
  • MariaDB or MySQL
  • A webserver and subdomain (subdirectory is not supported)
  • PHP extensions: gd, intl, json, mbstring, pdo, tokenizer, xml, xsl, zip

Installation

  • Recommended setup — with Git and Composer
  • Docker — containerized by @tobybatch

There are also documentations for:

  • developer setups — on your local machine
  • shared hostings — the least favorable option
  • Synology — you could try to host the Docker version instead
  • 1-click installer — hosted environments

And if you don’t want to host Kimai, you can use the Cloud version of it.

Updating Kimai

  • Update Kimai — get the latest version
  • UPGRADING guide — version specific steps

Plugins

  • Plugin marketplace — find existing plugins here
  • Developer documentation — how to create a plugin

Roadmap and releases

You can see a rough development roadmap in the Milestones sections. It is open for changes and input from the community, your ideas and questions are welcome.

Release versions will be created on a regular basis, every couple of weeks latest. Every code change, whether it’s a new feature or a bugfix, will be done on the main branch.

For the time being and until 2.0 is widely adopted, the 1.x branch will receive bug fixes.

Contributing

You want to contribute to this repository? This is so great! The best way to start is to open a new issue for bugs or feature requests or a discussion for questions, support and such.

In case you want to contribute, but you wouldn’t know how, here are some suggestions:

  • Spread the word: More user means more people testing and contributing to Kimai, which in turn means better stability and more and better features. Please vote for Kimai on any software platform, you can toot or tweet about it, share it on LinkedIn, Reddit or any of your favorite social media platforms. Every bit helps!
  • Answer questions: You know the answer to another user’s problem? Share your knowledge.
  • Something can be done better? An essential feature is missing? Create a feature request.
  • Report bugs makes Kimai better for everyone.
  • You don’t have to be programmer, the documentation and translation could always use some attention.
  • Sponsor the project: free software costs money to create!

There is one simple rule in our "Code of conduct": Don’t be an ass!

Credits

Kimai is based on modern technologies and frameworks such as PHP, Symfony and Doctrine, Bootstrap and Tabler, and countless others.

Related news

GHSA-r58m-v5pr-jhhq: Cross-site Scripting in kimai/kimai

Cross Site Scripting (XSS) vulnerability in kevinpapst kimai2 in /src/Twig/Runtime/MarkdownExtension.php, allows attackers to gain escalated privileges.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907