漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
ActualBudget missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
Vulnerability Description
Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. Version 26.2.1 patches the issue.
CVSS Information
N/A
Vulnerability Type
授权机制缺失
Vulnerability Title
actual 安全漏洞
Vulnerability Description
actual是Actual开源的一个个人理财工具。 actual 26.2.1之前版本存在安全漏洞,该漏洞源于同步API端点未验证文件所有权,可能导致任意用户预算文件被读取或修改。
CVSS Information
N/A
Vulnerability Type
N/A