Cybersecurity researchers on Tuesday disclosed 9 safety vulnerabilities affecting three open-source tasks — EspoCRM, Pimcore, and Akaunting — which are extensively utilized by a number of small to medium companies and, if efficiently exploited, might present a pathway to extra subtle assaults.
All the safety flaws in query, which impression EspoCRM v6.1.6, Pimcore Buyer Information Framework v3.0.0, Pimcore AdminBundle v6.8.0, and Akaunting v2.1.12, have been mounted inside a day of accountable disclosure, researchers Wiktor Sędkowski of Nokia and Trevor Christiansen of Rapid7 famous. Six of the 9 flaws have been uncovered within the Akaunting mission.
EspoCRM is an open-source buyer relationship administration (CRM) utility, whereas Pimcore is an open-source enterprise software program platform for buyer information administration, digital asset administration, content material administration, and digital commerce. Akaunting, alternatively, is an open-source and on-line accounting software program designed for bill and expense monitoring.
The listing of points is as follows –
- CVE-2021-3539 (CVSS rating: 6.3) – Persistent XSS flaw in EspoCRM v6.1.6
- CVE-2021-31867 (CVSS rating: 6.5) – SQL injection in Pimcore Buyer Information Framework v3.0.0
- CVE-2021-31869 (CVSS rating: 6.5) – Pimcore AdminBundle v6.8.0
- CVE-2021-36800 (CVSS rating: 8.7) – OS command injection in Akaunting v2.1.12
- CVE-2021-36801 (CVSS rating: 8.5) – Authentication bypass in Akaunting v2.1.12
- CVE-2021-36802 (CVSS rating: 6.5) – Denial-of-service by way of user-controlled ‘locale’ variable in Akaunting v2.1.12
- CVE-2021-36803 (CVSS rating: 6.3) – Persistent XSS throughout avatar add in Akaunting v2.1.12
- CVE-2021-36804 (CVSS rating: 5.4) – Weak Password Reset in Akaunting v2.1.12
- CVE-2021-36805 (CVSS rating: 5.2) – Bill footer persistent XSS in Akaunting v2.1.12
|Pimcore Buyer Information Framework|
Additionally addressed in Akaunting is a weak password reset vulnerability the place the attacker can abuse the “I forgot my password” performance to ship a phishing e mail from the applying to a registered person containing a malicious hyperlink that, when clicked, delivers the password reset token. The dangerous actor can then use the token to set a password of their alternative.
“All three of those tasks have actual customers, actual clients of their attendant help companies and cloud-hosted variations, and are undoubtedly the core purposes supporting hundreds of small to medium companies working immediately,” the researchers famous.
“For all of those points, updating to the newest variations of the affected purposes will resolve them. If updating is troublesome or unattainable resulting from exterior elements or customized, native modifications, customers of those purposes can restrict their publicity by not presenting their manufacturing cases to the web immediately — as a substitute, expose them solely to trusted inner networks with trusted insiders.”