CVE-2020-15120

Authorization Bypass in I hate money

Description

In "I hate money" before version 4.1.5, an authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code. With the default configuration, anybody is allowed to create a new project. An attacker can create a new project and then use it to become authenticated and exploit this flaw. As such, the exposure is similar to an unauthenticated attack, because it is trivial to become authenticated. This is fixed in version 4.1.5.

Category

4.9
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.22%
Third-Party Advisory github.com Third-Party Advisory github.com
Affected: spiral-project ihatemoney
Published at:
Updated at:

References

Link Tags
https://github.com/spiral-project/ihatemoney/security/advisories/GHSA-67j9-c52g-w2q9 third party advisory
https://github.com/spiral-project/ihatemoney/commit/8d77cf5d5646e1d2d8ded13f0660638f57e98471 third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2020-15120?
CVE-2020-15120 has been scored as a medium severity vulnerability.
How to fix CVE-2020-15120?
To fix CVE-2020-15120, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2020-15120 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2020-15120 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-15120?
CVE-2020-15120 affects spiral-project ihatemoney.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.