Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-38874: GitHub - gugoan/economizzer: Open Source Personal Finance Manager

A remote code execution (RCE) vulnerability via an insecure file upload exists in gugoan’s Economizzer v.0.9-beta1 and commit 3730880 (April 2023). A malicious attacker can upload a PHP web shell as an attachment when adding a new cash book entry. Afterwards, the attacker may visit the web shell and execute arbitrary commands.

CVE
#sql#vulnerability#web#mac#apache#redis#git#php#rce#nginx

** Economizzer**

Economizzer is a simple and open source personal finance manager system made in PHP Yii Framework 2.

It is available in the following languages: English, Spanish, Portuguese, Russian, Korean, Hungarian and French.

Learn more the features on the official website: www.economizzer.org

Live Demo

You can try: www.economizzer.org/web

Use the user “joe” and password "123456".

Requirements

The minimum requirement by this application that your Web server supports PHP 5.4.0 and either apache2 or nginx.

Required libraries: libapache2-mod-php, php-mbstring, php-xml, php-curl

Installation

git clone https://github.com/gugoan/economizzer.git
cd economizzer
composer install

Configuration

In folder economizzer/config/db.php set as follows:

return [ ‘class’ => 'yii\db\Connection’, ‘dsn’ => 'mysql:host=127.0.0.1;dbname=economizzer’, ‘username’ => 'USER’, ‘password’ => 'PASSWORD’, ‘charset’ => 'utf8’, ‘enableSchemaCache’ => true, ];

And import the database sql file

economizzer.sql

To test, go to http://yourserver/economizzer/web with user and password below:

Use the user “joe” and password "123456".

Contribution

Please see CONTRIBUTING.

License

Economizzer is Copyright © 2014 Gustavo G. Andrade. It is free software, and may be redistributed under the terms specified in the LICENSE file.

Donations

To encourage the developer with new enhancements, web hosting costs, or even to buy him a good beer, support the project by making a donation.

Thanks to

Related news

GHSA-pq98-6hf6-3rj3: Economizzer remote code execution vulnerability

A remote code execution (RCE) vulnerability via an insecure file upload exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). A malicious attacker can upload a PHP web shell as an attachment when adding a new cash book entry. Afterwards, the attacker may visit the web shell and execute arbitrary commands.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907