CVE-2020-15120

Name of the Vulnerable Software and Affected Versions I Hate Money versions prior to 4.1.5

Description An authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code. With the default configuration, anybody is allowed to create a new project, making it trivial for an attacker to become authenticated and exploit this flaw. The issue can be exploited through API endpoints such as "PUT /api/projects//members/" and "DELETE /api/projects//members/", as well as through the web interface at "//members//edit".

Recommendations To fix the issue, update to version 4.1.5. As a temporary workaround, consider setting ALLOW PUBLIC PROJECT CREATION = False in the configuration to limit the impact, although existing users will still be able to exploit the flaw.