CVE-2023-53957 - Vulnerability Details

Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session hijacking.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00056.

Exploitation poc

Automatable yes

Technical Impact total

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Kimai

affected

Version	Status	Constraints
`1.30.10`	affected	—

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Kimai Subscribe	Kimai Subscribe

Project Subscriptions

Vendors	Products
Kimai Subscribe	Kimai Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/kimai/kimai/releases/tag/1.30.10
https://www.exploit-db.com/exploits/51278
https://www.vulncheck.com/advisories/kimai-samesite-cookie-vulnerability-session-hijacking

History

Sun, 21 Dec 2025 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kimai Kimai kimai
Vendors & Products		Kimai Kimai kimai

Fri, 19 Dec 2025 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 19 Dec 2025 21:15:00 +0000

Type	Values Removed	Values Added
Description		Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session hijacking.
Title		Kimai 1.30.10 SameSite Cookie Vulnerability Session Hijacking
Weaknesses		CWE-1275
References		https://github.com/kimai/kimai/releases/tag/1.30.10 https://www.exploit-db.com/exploits/51278 https://www.vulncheck.com/advisories/kimai-samesite-cookie-vulnerability-session-hijacking
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` cvssV4_0 `{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2025-12-19T21:05:52.561Z

Updated: 2025-12-19T21:41:07.772Z

Reserved: 2025-12-19T14:03:57.723Z

Link: CVE-2023-53957

Vulnrichment

Updated: 2025-12-19T21:40:32.163Z

NVD

Status : Awaiting Analysis

Published: 2025-12-19T21:15:52.170

Modified: 2025-12-23T14:51:52.650

Link: CVE-2023-53957

Redhat

No data.

OpenCVE Enrichment

Updated: 2025-12-21T21:12:50Z

Weaknesses

CWE-1275

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object