Gustavo G. Andrade

5 exploits Active since Sep 2023
CVE-2023-38870 WRITEUP CRITICAL STUB
gugoan Economizzer <0.9-beta1 - SQL Injection
A SQL injection vulnerability exists in gugoan Economizzer commit 3730880 (April 2023) and v.0.9-beta1. The cash book has a feature to list accomplishments by category, and the 'category_id' parameter is vulnerable to SQL Injection.
CVSS 9.8
CVE-2023-38871 WRITEUP MEDIUM STUB
gugoan Economizzer <0.9-beta1 - Info Disclosure
The commit 3730880 (April 2023) and v.0.9-beta1 of gugoan Economizzer has a user enumeration vulnerability in the login and forgot password functionalities. The app reacts differently when a user or email address is valid, and when it's not. This may allow an attacker to determine whether a user or email address is valid, or brute force valid usernames and email addresses.
CVSS 5.3
CVE-2023-38872 WRITEUP LOW STUB
gugoan Economizzer <0.9-beta1 - IDOR
An Insecure Direct Object Reference (IDOR) vulnerability in gugoan Economizzer commit 3730880 (April 2023) and v.0.9-beta1 allows any unauthenticated attacker to access cash book entry attachments of any other user, if they know the Id of the attachment.
CVSS 3.7
CVE-2023-38874 WRITEUP HIGH STUB
gugoan's Economizzer v.0.9-beta1 - RCE
A remote code execution (RCE) vulnerability via an insecure file upload exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). A malicious attacker can upload a PHP web shell as an attachment when adding a new cash book entry. Afterwards, the attacker may visit the web shell and execute arbitrary commands.
CVSS 8.8
CVE-2023-38877 WRITEUP HIGH STUB
gugoan's Economizzer <0.9-beta1 - Host Header Injection
A host header injection vulnerability exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This allows an attacker to reset other users' passwords.
CVSS 8.8