Cyber security researchers on Tuesday revealed nine security vulnerabilities affecting three open source projects – EspoCRM, Pimcore and Akaunting – which are widely used by several small and medium-sized businesses and, if exploited successfully, could pave the way for attacks. more sophisticated.
All the security vulnerabilities in question, which affect EspoCRM v6.1.6, Pimcore Customer Data Framework v3.0.0, Pimcore AdminBundle v6.8.0 and Akaunting v2.1.12, were fixed within one day of the responsible disclosure, according to Wiktor Sędkowski researchers from Nokia and Trevor. Christiansen from Rapid7 noted. Six of the nine flaws were discovered in Project Akaunting.
EspoCRM is an open source customer relationship management (CRM) application, while Pimcore is an open source enterprise software platform for customer data management, digital asset management, content management and commerce. digital. Akaunting, on the other hand, is open source, online accounting software designed for tracking invoices and expenses.
The list of problems is as follows –
- CVE-2021-3539 (CVSS score: 6.3) – Persistent XSS flaw in EspoCRM v6.1.6
- CVE-2021-31867 (CVSS score: 6.5) – SQL injection in Pimcore Customer Data Framework v3.0.0
- CVE-2021-31869 (CVSS score: 6.5) – SQL injection in Pimcore AdminBundle v6.8.0
- CVE-2021-36800 (CVSS score: 8.7) – OS command injection in Akaunting v2.1.12
- CVE-2021-36801 (CVSS score: 8.5) – Authentication bypass in Akaunting v2.1.12
- CVE-2021-36802 (CVSS score: 6.5) – Denial of service via user controlled “local” variable in Akaunting v2.1.12
- CVE-2021-36803 (CVSS score: 6.3) – Persistent XSS when uploading avatar in Akaunting v2.1.12
- CVE-2021-36804 (CVSS score: 5.4) – Weak password reset in Akaunting v2.1.12
- CVE-2021-36805 (CVSS score: 5.2) – Persistent XSS invoice footer in Akaunting v2.1.12
|Pimcore Customer Data Framework|
Akaunting also addresses a weak password reset vulnerability where an attacker can abuse the “I forgot my password” feature to send a phishing email from the app to a registered user containing a link malicious which, when clicked, issues the password reset token. The bad actor can then use the token to define a password of his choice.
“These three projects have real users, real customers of their support services and their cloud-hosted versions, and are undoubtedly the primary applications supporting thousands of small and medium businesses running. today, ”the researchers noted.
“For all of these issues, updating to the latest versions of the affected applications will resolve them. If updating is difficult or impossible due to external factors or custom local changes, users of these apps can limit their exposure by not presenting their production instances to the internet directly – instead, expose them only. to trusted internal networks with trusted insiders. “