Cybersecurity researchers on Tuesday disclosed 9 safety vulnerabilities affecting three open-source initiatives —, , and — which can be broadly utilized by a number of small to medium companies and, if efficiently exploited, may present a pathway to extra refined assaults.
All the safety flaws in query, which influence EspoCRM v6.1.6, Pimcore Buyer Information Framework v3.0.0, Pimcore AdminBundle v6.8.0, and Akaunting v2.1.12, had been mounted inside a day of accountable disclosure, researchers Wiktor Sędkowski of Nokia and Trevor Christiansen of Rapid7 famous. Six of the 9 flaws had been uncovered within the Akaunting venture.
EspoCRM is an open-source buyer relationship administration (CRM) utility, whereas Pimcore is an open-source enterprise software program platform for buyer information administration, digital asset administration, content material administration, and digital commerce. Akaunting, however, is an open-source and on-line accounting software program designed for bill and expense monitoring.
The checklist of points is as follows –
- CVE-2021-3539 (CVSS rating: 6.3) – Persistent XSS flaw in EspoCRM v6.1.6
- CVE-2021-31867 (CVSS rating: 6.5) – SQL injection in Pimcore Buyer Information Framework v3.0.0
- CVE-2021-31869 (CVSS rating: 6.5) – Pimcore AdminBundle v6.8.0
- CVE-2021-36800 (CVSS rating: 8.7) – OS command injection in Akaunting v2.1.12
- CVE-2021-36801 (CVSS rating: 8.5) – Authentication bypass in Akaunting v2.1.12
- CVE-2021-36802 (CVSS rating: 6.5) – Denial-of-service through user-controlled ‘locale’ variable in Akaunting v2.1.12
- CVE-2021-36803 (CVSS rating: 6.3) – Persistent XSS throughout avatar add in Akaunting v2.1.12
- CVE-2021-36804 (CVSS rating: 5.4) – Weak Password Reset in Akaunting v2.1.12
- CVE-2021-36805 (CVSS rating: 5.2) – Bill footer persistent XSS in Akaunting v2.1.12
|Pimcore Buyer Information Framework|
Additionally addressed in Akaunting is a weak password reset vulnerability the place the attacker can abuse the “I forgot my password” performance to ship a phishing electronic mail from the applying to a registered consumer containing a malicious hyperlink that, when clicked, delivers the password reset token. The dangerous actor can then use the token to set a password of their alternative.
“All three of those initiatives have actual customers, actual prospects of their attendant assist providers and cloud-hosted variations, and are undoubtedly the core purposes supporting 1000’s of small to medium companies operating right now,” the researchers famous.
“For all of those points, updating to the most recent variations of the affected purposes will resolve them. If updating is tough or inconceivable on account of exterior elements or customized, native adjustments, customers of those purposes can restrict their publicity by not presenting their manufacturing cases to the web immediately — as a substitute, expose them solely to trusted inside networks with trusted insiders.”