CVE-2021-36800
8.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Summary
Akaunting version 2.1.12 and earlier suffers from a code injection issue in the Money.php component of the application. A POST sent to /{company_id}/sales/invoices/{invoice_id} with an items[0][price] that includes a PHP callable function is executed directly. This issue was fixed in version 2.1.13 of the product.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Akaunting | Akaunting | 2.1.12 <= 2.1.12 | affected |
Weaknesses
- CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.