cbcvebase.

Gugoan Economizzer vulnerabilities

5 known vulnerabilities affecting gugoan/economizzer.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM2LOW1

Vulnerabilities

Page 1 of 1
CVE-2023-38874P2HIGH≥ 0, ≤ 0.9-beta12023-09-28
CVE-2023-38874 [HIGH] CWE-434 Economizzer remote code execution vulnerability Economizzer remote code execution vulnerability A remote code execution (RCE) vulnerability via an insecure file upload exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). A malicious attacker can upload a PHP web shell as an attachment when adding a new cash book entry. Afterwards, the attacker may visit the web shell and execute arbitrary commands.
ghsaosv
CVE-2023-38877P3HIGH≥ 0, ≤ 0.9-beta12023-09-28
CVE-2023-38877 [HIGH] CWE-94 Economizzer host header injection vulnerability Economizzer host header injection vulnerability A host header injection vulnerability exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This allows an attacker to reset o
ghsaosv
CVE-2023-38873P4MEDIUM≥ 0, ≤ 0.9-beta12023-09-28
CVE-2023-38873 [MEDIUM] CWE-1021 Economizzer vulnerable to Clickjacking Economizzer vulnerable to Clickjacking The commit 3730880 (April 2023) and v.0.9-beta1 of gugoan Economizzer is vulnerable to Clickjacking. Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top-level page. Thus, the attacker is "hijacking" clicks meant for
ghsaosv
CVE-2023-38871P4MEDIUM≥ 0, ≤ 0.9-beta12023-09-28
CVE-2023-38871 [MEDIUM] CWE-203 Economizzer user enumeration vulnerability Economizzer user enumeration vulnerability The commit 3730880 (April 2023) and v.0.9-beta1 of gugoan Economizzer has a user enumeration vulnerability in the login and forgot password functionalities. The app reacts differently when a user or email address is valid, and when it's not. This may allow an attacker to determine whether a user or email address is valid, or brute force valid usernames and email addresses.
ghsaosv
CVE-2023-38872P4LOW≥ 0, ≤ 0.9-beta12023-09-28
CVE-2023-38872 [LOW] CWE-639 Economizzer Insecure Direct Object Reference vulnerability Economizzer Insecure Direct Object Reference vulnerability An Insecure Direct Object Reference (IDOR) vulnerability in gugoan Economizzer commit 3730880 (April 2023) and v.0.9-beta1 allows any unauthenticated attacker to access cash book entry attachments of any other user, if they know the Id of the attachment.
ghsaosv
Gugoan Economizzer vulnerabilities | cvebase