CVE-2024-37889

Published: Jun 14, 2024Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

MyFinances is a web application for managing finances. MyFinances has a way to access other customer invoices while signed in as a user. This method allows an actor to access PII and financial information from another account. The vulnerability is fixed in 0.4.6.

Affected (1)

Products: Treyww: Myfinances

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Treyww Myfinances	Before 0.4.6

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (4)

https://github.com/TreyWW/MyFinances/commit/2c1e6d5b7ec8b2d6f660b260e3c5f4d3eaaa613f

Source: security-advisories@github.com

Patch

https://github.com/TreyWW/MyFinances/security/advisories/GHSA-4884-3gvp-3wj2

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/TreyWW/MyFinances/commit/2c1e6d5b7ec8b2d6f660b260e3c5f4d3eaaa613f

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/TreyWW/MyFinances/security/advisories/GHSA-4884-3gvp-3wj2

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

Timeline

No history available yet.