Vulnerabilities > Frontaccounting

DATE CVE VULNERABILITY TITLE RISK
2020-09-30 CVE-2020-21244 Path Traversal vulnerability in Frontaccounting 2.4.7
An issue was discovered in FrontAccounting 2.4.7.
network
low complexity
frontaccounting CWE-22
5.5
2019-01-08 CVE-2019-5720 SQL Injection vulnerability in Frontaccounting 2.4.6
includes/db/class.reflines_db.inc in FrontAccounting 2.4.6 contains a SQL Injection vulnerability in the reference field that can allow the attacker to grab the entire database of the application via the void_transaction.php filterType parameter.
network
low complexity
frontaccounting CWE-89
7.5
2018-12-28 CVE-2018-1000890 SQL Injection vulnerability in Frontaccounting 2.4.5
FrontAccounting 2.4.5 contains a Time Based Blind SQL Injection vulnerability in the parameter "filterType" in /attachments.php that can allow the attacker to grab the entire database of the application.
network
low complexity
frontaccounting CWE-89
5.0
2018-02-16 CVE-2018-7176 Cross-Site Request Forgery (CSRF) vulnerability in Frontaccounting 2.4.3
FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page).
6.8
2014-06-05 CVE-2014-3973 SQL Injection vulnerability in Frontaccounting
Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.3.21 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
network
low complexity
frontaccounting CWE-89
7.5
2011-09-23 CVE-2011-3740 Information Exposure vulnerability in Frontaccounting 2.3.1
FrontAccounting 2.3.1 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by reporting/includes/fpdi/fpdi2tcpdf_bridge.php and certain other files.
network
low complexity
frontaccounting CWE-200
5.0
2009-11-20 CVE-2009-4046 SQL Injection vulnerability in Frontaccounting 2.2
Multiple SQL injection vulnerabilities in FrontAccounting (FA) 2.2.x before 2.2 RC allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) bank_accounts.php, (2) currencies.php, (3) exchange_rates.php, (4) gl_account_types.php, and (5) gl_accounts.php in gl/manage/; and (6) audit_trail_db.inc, (7) comments_db.inc, (8) inventory_db.inc, (9) manufacturing_db.inc, and (10) references_db.inc in includes/db/.
network
low complexity
frontaccounting CWE-89
7.5
2009-11-20 CVE-2009-4045 SQL Injection vulnerability in Frontaccounting
Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.1.7 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to various .inc and .php files in (1) reporting/, (2) sales/, (3) sales/includes/, (4) sales/includes/db/, (5) sales/inquiry/, (6) sales/manage/, (7) sales/view/, (8) taxes/, and (9) taxes/db/.
network
low complexity
frontaccounting CWE-89
7.5
2009-11-20 CVE-2009-4037 SQL Injection vulnerability in Frontaccounting
Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.1.7, and 2.2.x before 2.2 RC, allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) admin/db/users_db.inc, and various other .inc and .php files under (2) admin/, (3) dimensions/, (4) gl/, (5) inventory/, (6) manufacturing/, and (7) purchasing/.
network
low complexity
frontaccounting CWE-89
7.5
2007-09-27 CVE-2007-5117 Code Injection vulnerability in Frontaccounting 1.13
Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.13, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter to (1) access/login.php and (2) includes/lang/language.php, different vectors than CVE-2007-4279.
network
frontaccounting CWE-94
critical
9.3