The major security flaws like Pimcore Customer Data Framework v3.0.0, EspoCRM v6.1.6, Akaunting v2.1.12, and Pimcore AdminBundle v6.8.0 were fixed instantly in the Akaunting project, the other six flaws were uncovered.
Akaunting is open-source online accounting software that tracks expenses and invoices, Pimcore is an open-source enterprise software platform for customer data management, content management, digital asset management, and digital commerce, and EspoCRM is an open-source customer relationship management application.
The major issues are:
- CVE-2021-36803 (CVSS score: 6.3) – Persistent XSS during avatar upload in Akaunting v2.1.12
- CVE-2021-36801 (CVSS score: 8.5) – Authentication bypass in Akaunting v2.1.12
- CVE-2021-31867 (CVSS score: 6.5) – SQL injection in Pimcore Customer Data Framework v3.0.0
- CVE-2021-36800 (CVSS score: 8.7) – OS command injection in Akaunting v2.1.12
- CVE-2021-36802 (CVSS score: 6.5) – Denial-of-service via user-controlled ‘locale’ variable in Akaunting v2.1.12
- CVE-2021-3539 (CVSS score: 6.3) – Persistent XSS flaw in EspoCRM v6.1.6
- CVE-2021-36805 (CVSS score: 5.2) – Invoice footer persistent XSS in Akaunting v2.1.12
- CVE-2021-31869 (CVSS score: 6.5) – Pimcore AdminBundle v6.8.0
- CVE-2021-36804 (CVSS score: 5.4) – Weak Password Reset in Akaunting v2.1.12
The researcher, “All three of these projects have real users, real customers of their attendant support services and cloud-hosted versions, and are undoubtedly the core applications supporting thousands of small to medium businesses running today.”