4.9
CVE-2026-23844
- EPSS 0.19%
- Veröffentlicht 19.01.2026 20:43:29
- Zuletzt bearbeitet 05.02.2026 18:49:26
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginWhisper Money has IDOR Vulnerability on sync/balances endpoint
Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users' bank accounts. Version 0.1.5 fixes the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Whisper.Money ≫ Whisper Money Version < 0.1.5
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.19% | 0.091 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
|
| security-advisories@github.com | 4.9 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-488 Exposure of Data Element to Wrong Session
The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
https://github.com/whisper-money/whisper-money/security/advisories/GHSA-c4g3-wpxr-2m74
https://github.com/whisper-money/whisper-money/pull/60
https://github.com/whisper-money/whisper-money/commit/80117c3edeaf5c5a5166f3815fc555a15b5ce686