Multiple vulnerabilities in Daily Expense Manager
Posted date 27/06/2025
Identificador
INCIBE-2025-0348
Importance
4 - High
Affected Resources
Daily Expense Manager, 1.0 version.
Description
INCIBE has coordinated the publication of 4 vulnerabilities, 1 of high severity and 3 of medium severity, affecting Daily Expense Manager, a tool for calculating expenses based on CRUD actions. The vulnerabilities have been discovered by Rafael Pedrero.
These vulnerabilities have been assigned the following code, CVSS v4.0 base score, CVSS vector and vulnerability CWE type:
- CVE-2025-40731: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
- CVE-2025-40732: CVSS v4.0: 6.9 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-203
- CVE-2025-40733 and CVE-2025-40734: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution
There is no reported solution at this time.
Detail
- CVE-2025-40731: SQL injection vulnerability in Daily Expense Manager v1.0. This vulnerability allows an attacker to retrieve, create, update and delete databases through the pname, pprice and id parameters in /update.php.
- CVE-2025-40732: user enumeration vulnerability in Daily Expense Manager v1.0. To exploit this vulnerability a POST request must be sent using the name parameter in /check.php.
- Reflected Cross-Site Scripting (XSS) vulnerability in Daily Expense Manager v1.0. This vulnerability allows an attacker to execute JavaScript code by sending a POST request. The list of assigned parameters and identifiers is as follows:
- CVE-2025-40733: username parameter in /login.php.
- CVE-2025-40734: password and confirm_password parameters in /register.php.
References list
Etiquetas
