GHSA-534c-hcr7-67jg

Suggest an improvement
Source
https://github.com/advisories/GHSA-534c-hcr7-67jg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-534c-hcr7-67jg/GHSA-534c-hcr7-67jg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-534c-hcr7-67jg
Published
2024-09-17T18:36:50Z
Modified
2024-09-17T18:47:49.836313Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
  • 8.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Kimai has an XXE Leading to Local File Read
Details

Summary

Kimai uses PHPSpreadsheet for importing and exporting invoices. Recently, a CVE was identified in PHPSpreadsheet, which could lead to an XXE vulnerability.

Details

Exploitation requires an Administrator account, allowing the upload of an XLSX template containing the payload. The vulnerability is triggered by the following code snippet:

// https://github.com/kimai/kimai/blob/b1903ba18359be16dd32ea9c40377c486498f082/src/Invoice/Renderer/AbstractSpreadsheetRenderer.php#L41
public function render(InvoiceDocument $document, InvoiceModel $model): Response
{
    $spreadsheet = IOFactory::load($document->getFilename());
    $worksheet = $spreadsheet->getActiveSheet();
    $entries = $model->getCalculator()->getEntries();
    $sheetReplacer = $model->toArray();
    $invoiceItemCount = \count($entries);
    if ($invoiceItemCount > 1) {
        $this->addTemplateRows($worksheet, $invoiceItemCount);
    }
}

The IOFactory::load function utilizes simplexml_load_string, which has previously been demonstrated to be vulnerable to XXE attacks.

While this is not directly an XXE in Kimai, it does however impact the latest stable version.

PoC

By uploading a malicious XLSX template, the payload will be triggered every time an invoice is generated.

<?xml version="1.0" encoding='UTF-7' standalone="yes"?>
+ADw-!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "php://filter/......." > %xxe;]>.....

For a better a visibility, I will upload both a: - Malicious template sample for testing - An exported invoice, showing the contents of target file during the export.

Impact

Local File Read / RCE in edge cases where phar:// can be utilized with gadget chains .

export.xlsx sample_template.xlsx

References

Affected packages

Packagist / kimai/kimai

Package

Name
kimai/kimai
Purl
pkg:composer/kimai/kimai

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.21.0

Affected versions

0.*

0.1
0.2
0.3
0.4
0.5
0.6
0.6.1
0.7
0.8
0.8.1
0.9

1.*

1.0
1.0.1
1.1
1.2
1.3
1.4
1.4.1
1.4.2
1.5
1.6
1.6.1
1.6.2
1.7
1.8
1.9
1.10
1.10.1
1.10.2
1.11
1.11.1
1.12
1.13
1.14
1.14.1
1.14.2
1.14.3
1.15
1.15.1
1.15.2
1.15.3
1.15.4
1.15.5
1.15.6
1.16
1.16.1
1.16.2
1.16.3
1.16.4
1.16.5
1.16.6
1.16.7
1.16.8
1.16.9
1.16.10
1.17
1.17.1
1.18
1.18.1
1.18.2
1.19
1.19.1
1.19.2
1.19.3
1.19.4
1.19.5
1.19.6
1.19.7
1.20
1.20.1
1.20.2
1.20.3
1.20.4
1.21.0
1.22.0
1.22.1
1.23.0
1.23.1
1.24.0
1.25.0
1.26.0
1.27.0
1.28.0
1.28.1
1.29.0
1.29.1
1.30.0
1.30.1
1.30.2
1.30.3
1.30.4
1.30.5
1.30.6
1.30.7
1.30.8
1.30.9
1.30.10
1.30.11

2.*

2.0.0-alpha
2.0.0-beta
2.0.0-beta-2
2.0.0-beta-3
2.0.0-rc-1
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.0.18
2.0.19
2.0.20
2.0.21
2.0.22
2.0.23
2.0.24
2.0.25
2.0.26
2.0.27
2.0.28
2.0.29
2.0.30
2.0.31
2.0.32
2.0.33
2.0.34
2.0.35
2.1.0
2.2.0
2.2.1
2.3.0
2.4.0
2.4.1
2.5.0
2.6.0
2.7.0
2.8.0
2.9.0
2.10.0
2.11.0
2.12.0
2.13.0
2.14.0
2.15.0
2.16.0
2.16.1
2.17.0
2.18.0
2.19.0
2.19.1
2.20.0
2.20.1

Database specific

{
    "last_known_affected_version_range": "<= 2.20.1"
}