cbcvebase.
CVE-2013-10033
published 2025-07-31

CVE-2013-10033: An unauthenticated SQL injection vulnerability exists in Kimai version 0.9.2.x via the db_restore.php endpoint. The flaw allows attackers to inject arbitrary…

PriorityP269critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.21%
64.6th percentile
An unauthenticated SQL injection vulnerability exists in Kimai version 0.9.2.x via the db_restore.php endpoint. The flaw allows attackers to inject arbitrary SQL queries into the dates[] POST parameter, enabling file write via INTO OUTFILE under specific environmental conditions. This can lead to remote code execution by writing a PHP payload to the web-accessible temporary directory. The vulnerability has been confirmed in versions including 0.9.2.beta, 0.9.2.1294.beta, and 0.9.2.1306-3.

Affected

1 ranges
VendorProductVersion rangeFixed in
kimai_projectkimai

Detection & IOCsextracted from sources · hover to see the quote

pathdb_restore.php
url/db_restore.php
otherdates[]
commandINTO OUTFILE
pathtemporary/
  • Monitor for unauthenticated POST requests to db_restore.php, especially those containing SQL metacharacters or INTO OUTFILE syntax in the dates[] parameter.
  • Alert on SQL injection patterns (e.g., INTO OUTFILE) in POST body parameters targeting Kimai's db_restore.php endpoint, which requires no authentication.
  • Watch for new PHP files written to the Kimai 'temporary' web-accessible directory, which may indicate successful exploitation and PHP payload drop.
  • ·Exploitation via INTO OUTFILE for RCE is only possible when the PHP configuration has 'display_errors' enabled.
  • ·The file-write RCE vector requires Kimai to be configured with a MySQL database running on localhost.
  • ·Successful payload write requires the MySQL user to have filesystem write permissions to the Kimai temporary directory.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.