Missing Authorization

Overview @actual-app/sync-server is an actual syncing server Affected versions of this package are vulnerable to Missing Authorization via the change-password endpoint, which lacks proper authorization checks. An attacker can gain administrative privileges by overwriting the password hash for the...

Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers

Summary Any authenticated user including BASIC role can escalate to ADMIN on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: POST /account/change-password has no authorization check, allowing any session to overwrite the password hash; the inactive...