CVE-2024-29200: 
PHP vulnerability analysis and mitigation

Kimai, a web-based multi-user time-tracking application, was found to have a vulnerability (CVE-2024-29200) where the permission 'viewothertimesheet' behaved inconsistently between the UI and API interfaces. The vulnerability was discovered and disclosed in March 2024, affecting all versions prior to 2.13.0 (GitHub Advisory).

The vulnerability stems from a discrepancy in permission handling between the UI and API interfaces. When the 'viewothertimesheet' permission is enabled, the UI correctly restricts users to viewing timesheet entries only for teams they are part of. However, the API endpoint returns all timesheet entries regardless of team permissions. This inconsistency is classified with a CVSS v3.1 score of 6.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N (GitHub Advisory).

The vulnerability compromises data confidentiality by allowing users to access timesheet entries they should not be authorized to view. This is particularly significant as API access is necessary for features like mobile app functionality, making it impossible to mitigate by simply restricting API access to administrators (GitHub Advisory).

The vulnerability has been fixed in Kimai version 2.13.0. Users are advised to upgrade to this version or later to address the security issue. No alternative workarounds are available, as restricting API access is not a viable solution due to legitimate API usage requirements (GitHub Advisory).