#VU32988 Improper Authorization in I hate money - CVE-2020-15120

Cybersecurity Help s.r.o.

Published: 2020-08-03

Vulnerability identifier: #VU32988

Vulnerability risk: Low

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-15120

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
I hate money
Web applications / Other software

Vendor: The spiral project

Description

The vulnerability allows a remote user to bypass authorization checks.

The vulnerability exists due to insufficient authorization checking. A remote administrator can modify and delete members of another project, without knowledge of this other project's private code.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

I hate money: 0.9 - 4.1.4

External links
https://github.com/spiral-project/ihatemoney/commit/8d77cf5d5646e1d2d8ded13f0660638f57e98471
https://github.com/spiral-project/ihatemoney/security/advisories/GHSA-67j9-c52g-w2q9

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper Authorization in I hate money web application