Security News > 2021 > July > Several Bugs Found in 3 Open-Source Software Used by Several Businesses
Cybersecurity researchers on Tuesday disclosed nine security vulnerabilities affecting three open-source projects - EspoCRM, Pimcore, and Akaunting - that are widely used by several small to medium businesses and, if successfully exploited, could provide a pathway to more sophisticated attacks.
All the security flaws in question, which impact EspoCRM v6.1.6, Pimcore Customer Data Framework v3.0.0, Pimcore AdminBundle v6.8.0, and Akaunting v2.1.12, were fixed within a day of responsible disclosure, researchers Wiktor S?dkowski of Nokia and Trevor Christiansen of Rapid7 noted.
Akaunting, on the other hand, is an open-source and online accounting software designed for invoice and expense tracking.
CVE-2021-36802 - Denial-of-service via user-controlled 'locale' variable in Akaunting v2.1.12.
CVE-2021-36803 - Persistent XSS during avatar upload in Akaunting v2.1.12.
CVE-2021-36805 - Invoice footer persistent XSS in Akaunting v2.1.12.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-04 | CVE-2021-36805 | Cross-site Scripting vulnerability in Akaunting Akaunting version 2.1.12 and earlier suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in the sales invoice processing component of the application. | 4.8 |
| 2021-08-04 | CVE-2021-36803 | Cross-site Scripting vulnerability in Akaunting Akaunting version 2.1.12 and earlier suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in processing user-supplied avatar images. | 5.4 |
| 2021-08-04 | CVE-2021-36802 | Unspecified vulnerability in Akaunting Akaunting version 2.1.12 and earlier suffers from a denial-of-service issue that is triggered by setting a malformed 'locale' variable and sending it in an otherwise normal HTTP POST request. | 6.5 |