A few days ago, three popular open source projects – EspoCRM, Pimcore and Akaunting – were exposed to nine security vulnerabilities. “These three projects have been widely used by thousands of enterprise users and are core applications supporting their services and cloud hosting efforts,” the researchers noted. “If these vulnerabilities are successfully exploited by attackers, they could open the door to more sophisticated attacks.” way.”
The vulnerabilities affect EspoCRM v6.1.6, Pimcore Customer Data Framework v3.0.0, Pimcore AdminBundle v6.8.0 and Akaunting v2.1.12, said Wiktor Södkowski, a technician at Nokia and Trevor, but within a day of the disclosure of the relevant vulnerabilities Repaired.
EspoCRM is an open source customer relationship management (CRM) application, and Pimcore is an open source enterprise software platform for customer data management, digital asset management, content management and digital commerce. Akaunting, on the other hand, is an open-source online accounting software designed for invoicing and expense tracking.
The list of questions is as follows –
CVE-2021-3539 (CVSS Score: 6.3) – Persistent XSS flaw in EspoCRM v6.1.6;
CVE-2021-31867 (CVSS Score: 6.5) – SQL Injection in Pimcore Customer Data Framework v3.0.0;
CVE-2021-31869 (CVSS Score: 6.5) – Pimcore AdminBundle v6.8.0;
CVE-2021-36800 (CVSS Score: 8.7) – OS Command Injection in Akaunting v2.1.12;
CVE-2021-36801 (CVSS Score: 8.5) – Authentication bypass in Akaunting v2.1.12;
CVE-2021-36802 (CVSS Score: 6.5) – Denial of service via user-controlled “locale” variable in Akaunting v2.1.12;
CVE-2021-36803 (CVSS score: 6.3) – Persistent XSS during avatar upload in Akaunting v2.1.12;
CVE-2021-36804 (CVSS score: 5.4) – Weak password reset in Akaunting v2.1.12;
CVE-2021-36805 (CVSS Score: 5.2) – Invoice footer persistent XSS in Akaunting v2.1.12.
Fortunately, the researchers point out: “Users can address the above security issues by updating the application version. For users who cannot update, the threat exposure can also be reduced by hiding their production instances, only exposing the production instances to the internal company. Trusted people in the network.”