Kimai is a free, open source and online time-tracking software designed for small businesses and freelancers. Same as any other collaboration project, it gives the users the ability to export data in several formats CSV, PDF, and HTML. However, it didn't properly sanatize the user input, which made room for potential injections.
CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. On the dashboard page after a successful login, it is possible for an attacker to set certain values in the Descreption field that - when exported and opened with a spreadsheet application (Microsoft Excel, Open Office, etc.) - will be interpreted as a formula. This puts the users/administrators who open those malicious exported files at risk. Exfiltration of sensitive data or even the execution of arbitrary code on the local machine of the victim will be the result. The final impact depends on the used spreadsheet software on the client of the victim.
