CVE-2020-15120

CVSS V2 Medium 4 CVSS V3 Medium 4.9
Description
In "I hate money" before version 4.1.5, an authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code. With the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit this flaw. As such, the exposure is similar to an unauthenticated attack, because it is trivial to become authenticated. This is fixed in version 4.1.5.
Overview
  • CVE ID
  • CVE-2020-15120
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2020-07-27T18:15:13
  • Last Modified Date
  • 2020-07-29T18:09:36
Weakness Enumerations
CWE URL
CWE-863 http://cwe.mitre.org/data/definitions/863.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:ihatemoney:i_hate_money:*:*:*:*:*:*:*:* 1 OR 4.1.5
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:L/Au:S/C:N/I:P/A:N
  • Access Vector
  • NETWORK
  • Access Compatibility
  • LOW
  • Authentication
  • SINGLE
  • Confidentiality Impact
  • NONE
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • NONE
  • Base Score
  • 4
  • Severity
  • MEDIUM
  • Exploitability Score
  • 8
  • Impact Score
  • 2.9
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • HIGH
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • NONE
  • Availability Impact
  • NONE
  • Base Score
  • 4.9
  • Base Severity
  • MEDIUM
  • Exploitability Score
  • 1.2
  • Impact Score
  • 3.6
References
Reference URL Reference Tags
https://github.com/spiral-project/ihatemoney/security/advisories/GHSA-67j9-c52g-w2q9 Third Party Advisory
https://github.com/spiral-project/ihatemoney/commit/8d77cf5d5646e1d2d8ded13f0660638f57e98471 Patch Third Party Advisory
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2020-15120
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15120
History
Created Old Value New Value Data Type Notes
2022-05-10 16:39:07 Added to TrackCVE
2022-12-04 20:16:05 2020-07-27T18:15Z 2020-07-27T18:15:13 CVE Published Date updated
2022-12-04 20:16:05 2020-07-29T18:09:36 CVE Modified Date updated
2022-12-04 20:16:05 Analyzed Vulnerability Status updated