漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints
Vulnerability Description
Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information. This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network. Version 26.2.1 patches the issue.
CVSS Information
N/A
Vulnerability Type
关键功能的认证机制缺失
Vulnerability Title
actual 访问控制错误漏洞
Vulnerability Description
actual是Actual开源的一个个人理财工具。 Actual 26.2.1之前版本存在访问控制错误漏洞,该漏洞源于ActualBudget服务器组件缺少身份验证中间件,可能导致未经验证的用户读取敏感银行账户信息。
CVSS Information
N/A
Vulnerability Type
N/A