Cybersecurity researchers on Tuesday disclosed nine security vulnerabilities influencing three open-source projects — EspoCRM, Pimcore, and Akaunting — that are widely utilised by quite a few compact to medium corporations and, if successfully exploited, could deliver a pathway to extra sophisticated attacks.
All the security flaws in dilemma, which effects EspoCRM v6.1.6, Pimcore Client Knowledge Framework v3.., Pimcore AdminBundle v6.8., and Akaunting v2.1.12, were set inside of a day of responsible disclosure, researchers Wiktor Sędkowski of Nokia and Trevor Christiansen of Rapid7 noted. Six of the 9 flaws were uncovered in the Akaunting task.
EspoCRM is an open up-supply buyer marriage administration (CRM) software, although Pimcore is an open-supply organization application system for buyer facts administration, digital asset administration, information management, and digital commerce. Akaunting, on the other hand, is an open-source and on-line accounting computer software designed for bill and cost monitoring.
The checklist of issues is as follows –
- CVE-2021-3539 (CVSS rating: 6.3) – Persistent XSS flaw in EspoCRM v6.1.6
- CVE-2021-31867 (CVSS rating: 6.5) – SQL injection in Pimcore Customer Information Framework v3..
- CVE-2021-31869 (CVSS rating: 6.5) – Pimcore AdminBundle v6.8.
- CVE-2021-36800 (CVSS score: 8.7) – OS command injection in Akaunting v2.1.12
- CVE-2021-36801 (CVSS rating: 8.5) – Authentication bypass in Akaunting v2.1.12
- CVE-2021-36802 (CVSS score: 6.5) – Denial-of-assistance through consumer-controlled ‘locale’ variable in Akaunting v2.1.12
- CVE-2021-36803 (CVSS rating: 6.3) – Persistent XSS for the duration of avatar upload in Akaunting v2.1.12
- CVE-2021-36804 (CVSS score: 5.4) – Weak Password Reset in Akaunting v2.1.12
- CVE-2021-36805 (CVSS score: 5.2) – Invoice footer persistent XSS in Akaunting v2.1.12
Pimcore Customer Info Framework
Also dealt with in Akaunting is a weak password reset vulnerability wherever the attacker can abuse the “I forgot my password” features to send out a phishing email from the software to a registered user made up of a destructive hyperlink that, when clicked, delivers the password reset token. The undesirable actor can then use the token to established a password of their decision.
“All a few of these assignments have genuine customers, genuine customers of their attendant assistance solutions and cloud-hosted variations, and are certainly the main programs supporting countless numbers of tiny to medium companies working now,” the scientists mentioned.
“For all of these issues, updating to the latest variations of the influenced programs will solve them. If updating is tricky or not possible due to exterior factors or tailor made, local improvements, users of these applications can limit their publicity by not presenting their creation situations to the internet right — in its place, expose them only to reliable interior networks with reliable insiders.”
Found this report appealing? Follow THN on Facebook, Twitter and LinkedIn to browse extra distinctive written content we post.
Some components of this posting are sourced from: