CVE-2013-10033
Kimai 0.9.2 db_restore.php SQL Injection
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
An unauthenticated SQL injection vulnerability exists in Kimai version 0.9.2.x via the db_restore.php endpoint. The flaw allows attackers to inject arbitrary SQL queries into the dates[] POST parameter, enabling file write via INTO OUTFILE under specific environmental conditions. This can lead to remote code execution by writing a PHP payload to the web-accessible temporary directory.Β The vulnerability has been confirmed in versions including 0.9.2.beta, 0.9.2.1294.beta, and 0.9.2.1306-3.
| CWE | CWE-89 |
| Vendor | kimai project |
| Product | kimai |
| Published | Jul 31, 2025 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for kimai project kimai
Be the first to know when new unknown vulnerabilities affecting kimai project kimai are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
Affected Versions
Kimai Project / Kimai
0.9.2.0
References
raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/kimai_sqli.rb exploit-db.com: https://www.exploit-db.com/exploits/30010 exploit-db.com: https://www.exploit-db.com/exploits/25606 vulners.com: https://vulners.com/metasploit/MSF:EXPLOIT-UNIX-WEBAPP-KIMAI_SQLI- vulncheck.com: https://www.vulncheck.com/advisories/kimai-sqli
Credits
drone