Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-38877: GitHub - gugoan/economizzer: Open Source Personal Finance Manager

A host header injection vulnerability exists in gugoan’s Economizzer v.0.9-beta1 and commit 3730880 (April 2023). By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This allows an attacker to reset other users’ passwords.

CVE
#sql#vulnerability#web#mac#apache#redis#git#php#nginx

** Economizzer**

Economizzer is a simple and open source personal finance manager system made in PHP Yii Framework 2.

It is available in the following languages: English, Spanish, Portuguese, Russian, Korean, Hungarian and French.

Learn more the features on the official website: www.economizzer.org

Live Demo

You can try: www.economizzer.org/web

Use the user “joe” and password "123456".

Requirements

The minimum requirement by this application that your Web server supports PHP 5.4.0 and either apache2 or nginx.

Required libraries: libapache2-mod-php, php-mbstring, php-xml, php-curl

Installation

git clone https://github.com/gugoan/economizzer.git
cd economizzer
composer install

Configuration

In folder economizzer/config/db.php set as follows:

return [ ‘class’ => 'yii\db\Connection’, ‘dsn’ => 'mysql:host=127.0.0.1;dbname=economizzer’, ‘username’ => 'USER’, ‘password’ => 'PASSWORD’, ‘charset’ => 'utf8’, ‘enableSchemaCache’ => true, ];

And import the database sql file

economizzer.sql

To test, go to http://yourserver/economizzer/web with user and password below:

Use the user “joe” and password "123456".

Contribution

Please see CONTRIBUTING.

License

Economizzer is Copyright © 2014 Gustavo G. Andrade. It is free software, and may be redistributed under the terms specified in the LICENSE file.

Donations

To encourage the developer with new enhancements, web hosting costs, or even to buy him a good beer, support the project by making a donation.

Thanks to

Related news

GHSA-hqp9-mrjw-7qq2: Economizzer host header injection vulnerability

A host header injection vulnerability exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This allows an attacker to reset other users' passwords.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907