Monetr Transaction Integrity Vulnerability Allowing Unauthorized Deletion of Synced Transactions

A vulnerability in Monetr, a budgeting application, prior to version 1.12.3, allows authenticated users to soft-delete synced non-manual transactions through the transaction update endpoint. This bypasses the application's restriction against deleting such transactions via the standard DELETE method. The issue arises because the update endpoint accepts a full transaction object from the client, including sensitive fields like 'deletedAt', which should be managed by the server. As a result, protected transactions can be hidden from normal views, undermining the integrity of transaction records and audit trails.

Impact

Exploitation of this vulnerability allows for an authorization bypass and integrity violation, where protected imported transactions can be effectively deleted or hidden, disrupting transaction history and bookkeeping accuracy. This is particularly concerning for deployments that rely on the immutability of synced transactions for non-manual links.

Reproduction

To reproduce this vulnerability, first identify a synced transaction linked to a non-manual source. Attempt to delete it using the normal DELETE route, which will be rejected due to the application's safeguards against deleting non-manual synced transactions. Then, use the PUT update endpoint to send a request that includes a user-supplied 'deletedAt' value. This request will succeed, and the transaction will disappear from standard listing views, although it can still be retrieved directly with the 'deletedAt' field populated, indicating that it has been soft-deleted.

Remediation

Users can update to Monetr version 1.12.3 or later, where this vulnerability has been fixed.