CVE-2020-15120

{"id": "CVE-2020-15120", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2020-07-27T18:15:13.983", "references": [{"url": "https://github.com/spiral-project/ihatemoney/commit/8d77cf5d5646e1d2d8ded13f0660638f57e98471", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/spiral-project/ihatemoney/security/advisories/GHSA-67j9-c52g-w2q9", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/spiral-project/ihatemoney/commit/8d77cf5d5646e1d2d8ded13f0660638f57e98471", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/spiral-project/ihatemoney/security/advisories/GHSA-67j9-c52g-w2q9", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "In \"I hate money\" before version 4.1.5, an authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code. With the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit this flaw. As such, the exposure is similar to an unauthenticated attack, because it is trivial to become authenticated. This is fixed in version 4.1.5."}, {"lang": "es", "value": "En \"I hate money\" antes de la versi\u00f3n 4.1.5, un miembro autenticado de un proyecto puede modificar y eliminar miembros de otro proyecto, sin conocer el c\u00f3digo privado de este otro proyecto. Esto puede ser explotado a\u00fan m\u00e1s para acceder a todas las facturas de otro proyecto sin conocer el c\u00f3digo privado de este otro proyecto. Con la configuraci\u00f3n predeterminada, es permitido a cualquiera crear un nuevo proyecto. Un atacante puede crear un nuevo proyecto y luego usarlo para autenticarse y explotar este fallo. Como tal, la exposici\u00f3n es similar a un ataque no autenticado, porque es muy sencillo autenticarse. Esto est\u00e1 corregido en la versi\u00f3n 4.1.5"}], "lastModified": "2024-11-21T05:04:51.760", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ihatemoney:i_hate_money:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "454CE36C-D558-461D-99E5-6A533CD5C59A", "versionEndExcluding": "4.1.5"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}