There is a security risk in all versions of the timesheet prior to 1.5.0 that made it somewhat easy for any user to become any other user including an administrator of the Timesheet NG site.

Bug report was made public on July 26, 2010.