Akaunting

Akaunting

11 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.5

CVE-2025-55521

Exploit
  • EPSS 0.06%
  • Veröffentlicht 21.08.2025 17:15:31
  • Zuletzt bearbeitet 10.09.2025 19:56:25

An issue in the component /settings/localisation of Akaunting v3.1.18 allows authenticated attackers to cause a Denial of Service (DoS) via a crafted POST request.

6.5

CVE-2025-55522

Exploit
  • EPSS 0.07%
  • Veröffentlicht 21.08.2025 17:15:31
  • Zuletzt bearbeitet 10.09.2025 20:02:08

Cross-site scripting (XSS) vulnerability in the component /common/reports of Akaunting v3.1.18 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name parameter.

9.8

CVE-2024-22836

  • EPSS 32.66%
  • Veröffentlicht 08.02.2024 20:15:52
  • Zuletzt bearbeitet 21.11.2024 08:56:41

An OS command injection vulnerability exists in Akaunting v3.1.3 and earlier. An attacker can manipulate the company locale when installing an app to execute system commands on the hosting server.

5.4

CVE-2020-20908

Exploit
  • EPSS 0.28%
  • Veröffentlicht 25.10.2021 15:15:07
  • Zuletzt bearbeitet 21.11.2024 05:12:18

Akaunting v1.3.17 was discovered to contain a stored cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Company Name input field.

8.1

CVE-2021-36801

Exploit
  • EPSS 0.29%
  • Veröffentlicht 04.08.2021 23:15:08
  • Zuletzt bearbeitet 21.11.2024 06:14:07

Akaunting version 2.1.12 and earlier suffers from an authentication bypass issue in the user-controllable field, companies[0]. This issue was fixed in version 2.1.13 of the product.

6.5

CVE-2021-36802

Exploit
  • EPSS 0.36%
  • Veröffentlicht 04.08.2021 23:15:08
  • Zuletzt bearbeitet 21.11.2024 06:14:08

Akaunting version 2.1.12 and earlier suffers from a denial-of-service issue that is triggered by setting a malformed 'locale' variable and sending it in an otherwise normal HTTP POST request. This issue was fixed in version 2.1.13 of the product.

5.4

CVE-2021-36803

Exploit
  • EPSS 0.33%
  • Veröffentlicht 04.08.2021 23:15:08
  • Zuletzt bearbeitet 21.11.2024 06:14:08

Akaunting version 2.1.12 and earlier suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in processing user-supplied avatar images. This issue was fixed in version 2.1.13 of the product.

8.1

CVE-2021-36804

Exploit
  • EPSS 0.33%
  • Veröffentlicht 04.08.2021 23:15:08
  • Zuletzt bearbeitet 21.11.2024 06:14:08

Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target's e-mail address. This issue was ...

4.8

CVE-2021-36805

Exploit
  • EPSS 0.3%
  • Veröffentlicht 04.08.2021 23:15:08
  • Zuletzt bearbeitet 21.11.2024 06:14:08

Akaunting version 2.1.12 and earlier suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in the sales invoice processing component of the application. This issue was fixed in version 2.1.13 of the product.

9.1

CVE-2021-36800

Exploit
  • EPSS 0.32%
  • Veröffentlicht 04.08.2021 23:15:07
  • Zuletzt bearbeitet 21.11.2024 06:14:07

Akaunting version 2.1.12 and earlier suffers from a code injection issue in the Money.php component of the application. A POST sent to /{company_id}/sales/invoices/{invoice_id} with an items[0][price] that includes a PHP callable function is executed...