Sat. Dec 3rd, 2022

Vulnerabilities in three popular open source software may affect thousands of enterprises

A few days ago, three popular open source projects – EspoCRM, Pimcore and Akaunting – were exposed to nine security vulnerabilities. “These three projects have been widely used by thousands of enterprise users and are core applications supporting their services and cloud hosting efforts,” the researchers noted. “If these vulnerabilities are successfully exploited by attackers, they could open the door to more sophisticated attacks.” way.”

The vulnerabilities affect EspoCRM v6.1.6, Pimcore Customer Data Framework v3.0.0, Pimcore AdminBundle v6.8.0 and Akaunting v2.1.12, said Wiktor Södkowski, a technician at Nokia and Trevor, but within a day of the disclosure of the relevant vulnerabilities Repaired.

EspoCRM is an open source customer relationship management (CRM) application, and Pimcore is an open source enterprise software platform for customer data management, digital asset management, content management and digital commerce. Akaunting, on the other hand, is an open-source online accounting software designed for invoicing and expense tracking.

The list of questions is as follows –

CVE-2021-3539 (CVSS Score: 6.3) – Persistent XSS flaw in EspoCRM v6.1.6;

CVE-2021-31867 (CVSS Score: 6.5) – SQL Injection in Pimcore Customer Data Framework v3.0.0;

CVE-2021-31869 (CVSS Score: 6.5) – Pimcore AdminBundle v6.8.0;

CVE-2021-36800 (CVSS Score: 8.7) – OS Command Injection in Akaunting v2.1.12;

CVE-2021-36801 (CVSS Score: 8.5) – Authentication bypass in Akaunting v2.1.12;

CVE-2021-36802 (CVSS Score: 6.5) – Denial of service via user-controlled “locale” variable in Akaunting v2.1.12;

CVE-2021-36803 (CVSS score: 6.3) – Persistent XSS during avatar upload in Akaunting v2.1.12;

CVE-2021-36804 (CVSS score: 5.4) – Weak password reset in Akaunting v2.1.12;

CVE-2021-36805 (CVSS Score: 5.2) – Invoice footer persistent XSS in Akaunting v2.1.12.

Successful exploitation of these vulnerabilities could allow an authentication bypass attacker to execute arbitrary JavaScript code, take control of the underlying operating system and use it as a beachhead to launch additional malicious attacks, trigger a denial of service through specially crafted HTTP requests, and even alter user accounts. Affiliated companies without any authorization.

Fortunately, the researchers point out: “Users can address the above security issues by updating the application version. For users who cannot update, the threat exposure can also be reduced by hiding their production instances, only exposing the production instances to the internal company. Trusted people in the network.”

The Links:   LM190E08-TLL2 CM75YE13-12F