A number of Bugs Present in 3 Open-Supply Software program Utilized by A number of Companies

business software vulnerability

Cybersecurity researchers on Tuesday disclosed 9 safety vulnerabilities affecting three open-source initiatives — EspoCRM, Pimcore, and Akaunting — which can be broadly utilized by a number of small to medium companies and, if efficiently exploited, may present a pathway to extra refined assaults.

All the safety flaws in query, which influence EspoCRM v6.1.6, Pimcore Buyer Information Framework v3.0.0, Pimcore AdminBundle v6.8.0, and Akaunting v2.1.12, had been mounted inside a day of accountable disclosure, researchers Wiktor Sędkowski of Nokia and Trevor Christiansen of Rapid7 famous. Six of the 9 flaws had been uncovered within the Akaunting venture.

Stack Overflow Teams

EspoCRM is an open-source buyer relationship administration (CRM) utility, whereas Pimcore is an open-source enterprise software program platform for buyer information administration, digital asset administration, content material administration, and digital commerce. Akaunting, however, is an open-source and on-line accounting software program designed for bill and expense monitoring.

The checklist of points is as follows –

  • CVE-2021-3539 (CVSS rating: 6.3) – Persistent XSS flaw in EspoCRM v6.1.6
  • CVE-2021-31867 (CVSS rating: 6.5) – SQL injection in Pimcore Buyer Information Framework v3.0.0
  • CVE-2021-31869 (CVSS rating: 6.5) – Pimcore AdminBundle v6.8.0
  • CVE-2021-36800 (CVSS rating: 8.7) – OS command injection in Akaunting v2.1.12
  • CVE-2021-36801 (CVSS rating: 8.5) – Authentication bypass in Akaunting v2.1.12
  • CVE-2021-36802 (CVSS rating: 6.5) – Denial-of-service through user-controlled ‘locale’ variable in Akaunting v2.1.12
  • CVE-2021-36803 (CVSS rating: 6.3) – Persistent XSS throughout avatar add in Akaunting v2.1.12
  • CVE-2021-36804 (CVSS rating: 5.4) – Weak Password Reset in Akaunting v2.1.12
  • CVE-2021-36805 (CVSS rating: 5.2) – Bill footer persistent XSS in Akaunting v2.1.12

Profitable exploitation of the issues may allow an authenticated adversary to execute arbitrary JavaScript code, commandeer the underlying working system and use it as a beachhead to launch extra nefarious assaults, set off a denial-of-service through a specially-crafted HTTP request, and even change the corporate related to a consumer account sans any authorization.

Pimcore Buyer Information Framework

Additionally addressed in Akaunting is a weak password reset vulnerability the place the attacker can abuse the “I forgot my password” performance to ship a phishing electronic mail from the applying to a registered consumer containing a malicious hyperlink that, when clicked, delivers the password reset token. The dangerous actor can then use the token to set a password of their alternative.

Enterprise Password Management

“All three of those initiatives have actual customers, actual prospects of their attendant assist providers and cloud-hosted variations, and are undoubtedly the core purposes supporting 1000’s of small to medium companies operating right now,” the researchers famous.

“For all of those points, updating to the most recent variations of the affected purposes will resolve them. If updating is tough or inconceivable on account of exterior elements or customized, native adjustments, customers of those purposes can restrict their publicity by not presenting their manufacturing cases to the web immediately — as a substitute, expose them solely to trusted inside networks with trusted insiders.”

Source link