Lucene search

GitHub_MCVELIST:CVE-2024-37889

HistoryJun 14, 2024 - 7:12 p.m.

CVE-2024-37889 MyFinances Allows Unauthorized Access to Other Customer Data

2024-06-1419:12:14

CWE-639

GitHub_M

www.cve.org

myfinances

web application

unauthorized access

customer data

pii

financial information

vulnerability

fix

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

9.0%

JSON

MyFinances is a web application for managing finances. MyFinances has a way to access other customer invoices while signed in as a user. This method allows an actor to access PII and financial information from another account. The vulnerability is fixed in 0.4.6.

CNA Affected

[
  {
    "vendor": "TreyWW",
    "product": "MyFinances",
    "versions": [
      {
        "version": "< 0.4.6",
        "status": "affected"
      }
    ]
  }
]

References

github.com/TreyWW/MyFinances/commit/2c1e6d5b7ec8b2d6f660b260e3c5f4d3eaaa613f

github.com/TreyWW/MyFinances/security/advisories/GHSA-4884-3gvp-3wj2

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for CVELIST:CVE-2024-37889