CVE-2024-58293
8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Akaunting 3.1.8 contains a server-side template injection vulnerability that allows authenticated administrators to execute template expressions in multiple form input fields. Attackers can inject template payloads in items, taxes, transactions, and vendor name fields to perform arithmetic operations and string manipulations.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Akaunting | Akaunting | 3.1.8 | affected |
Weaknesses
- CWE-1336: CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
References
- https://www.exploit-db.com/exploits/52030
- https://akaunting.com/forum
- https://www.softaculous.com/apps/erp/Akaunting
- https://www.vulncheck.com/advisories/akaunting-server-side-template-injection-via-multiple-form-fields
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.