PT-2024-29466 · Unknown · Money Manager Ex Webapp

Jp-Wagner

Published

2024-10-24

Updated

2024-10-29

CVE-2024-41618

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Money Manager EX WebApp (web-money-manager-ex) version 1.2.2

Description The issue is due to improper sanitization of user input in the TrDeleteArr parameter, which is directly incorporated into an SQL query. This occurs in the transaction delete group function, allowing for SQL Injection.

Recommendations For Money Manager EX WebApp (web-money-manager-ex) version 1.2.2, as a temporary workaround, consider disabling the transaction delete group function until a patch is available. Restrict access to the TrDeleteArr parameter to minimize the risk of exploitation.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2024-41618

Affected Products

Money Manager Ex Webapp

PT-2024-29466 · Unknown · Money Manager Ex Webapp

CVE-2024-41618

Weakness Enumeration

Related Identifiers

Affected Products

References · 9