Researchers from the security firm FireEye revealed nine security flaws in three open-source projects. The issues affect Pimcore, EspoCRM, and Akanting. Six of the nine flaws were found in the Akaunting project.
Pimcore, EspoCRM, and Akaunting are some of the most popular open-source software platforms that are used by businesses globally. EspoCRM is an open-source CRM application, Pimcore is an open-source enterprise software platform for customer data management, digital commerce, and more. While, Akaunting is open-source and online accounting software.
The flaws in question impact EspoCRM v6.1.6, Pimcore Customer Data Framework v3.0.0, Pimcore AdminBundle v6.8.0, and Akaunting v2.1.12. If successfully exploited, these flaws could provide a way to more sophisticated attacks.
All the flaws were fixed within a day of being disclosed, according to researchers Wiktor Sędkowski of Nokia and Trevor Christiansen of Rapid7 who recently published a report.
The full list of issues is:
- CVE-2021-3539 (CVSS score: 6.3) – Persistent XSS flaw in EspoCRM v6.1.6
- CVE-2021-31867 (CVSS score: 6.5) – SQL injection in Pimcore Customer Data Framework v3.0.0
- CVE-2021-31869 (CVSS score: 6.5) – Pimcore AdminBundle v6.8.0
- CVE-2021-36800 (CVSS score: 8.7) – OS command injection in Akaunting v2.1.12
- CVE-2021-36801 (CVSS score: 8.5) – Authentication bypass in Akaunting v2.1.12
- CVE-2021-36802 (CVSS score: 6.5) – Denial-of-service via user-controlled ‘locale’ variable in Akaunting v2.1.12
- CVE-2021-36803 (CVSS score: 6.3) – Persistent XSS during avatar upload in Akaunting v2.1.12
- CVE-2021-36804 (CVSS score: 5.4) – Weak Password Reset in Akaunting v2.1.12
- CVE-2021-36805 (CVSS score: 5.2) – Invoice footer persistent XSS in Akaunting v2.1.12
The flaws could allow an authenticated attacker to execute arbitrary JavaScript code without requiring an authenticated user account. They could also allow a hacker to take over the operating system and launch a denial-of-service attack.
In one instance, a weak password reset flaw in Akaunting allowed an attacker to trick the system with an email to a registered user into providing a reset link.
If you are subject to these issues, please update your applications immediately. Doing so will prevent further exploitation and minimize your exposure.
“If updating is difficult or impossible due to external factors or custom, local changes, users of these applications can limit their exposure by not presenting their production instances to the internet directly — instead, expose them only to trusted internal networks with trusted insiders,” the researchers advised.