Cybersecurity researchers on Tuesday disclosed nine security vulnerabilities affecting three open-source projects — EspoCRM, Pimcore, and Akaunting — that are widely used by several small to medium businesses and, if successfully exploited, could provide a pathway to more sophisticated attacks.

All the security flaws in question, which impact EspoCRM v6.1.6, Pimcore Customer Data Framework v3.0.0, Pimcore AdminBundle v6.8.0, and Akaunting v2.1.12, were fixed within a day of responsible disclosure, researchers Wiktor Sędkowski of Nokia and Trevor Christiansen of Rapid7 noted. Six of the nine flaws were uncovered in the Akaunting project.

EspoCRM is an open-source customer relationship management (CRM) application, while Pimcore is an open-source enterprise software platform for customer data management, digital asset management, content management, and digital commerce. Akaunting, on the other hand, is an open-source and online accounting software designed for invoice and expense tracking.

The list of issues is as follows –

  • CVE-2021-3539 (CVSS score: 6.3) – Persistent XSS flaw in EspoCRM v6.1.6
  • CVE-2021-31867 (CVSS score: 6.5) – SQL injection in Pimcore Customer Data Framework v3.0.0
  • CVE-2021-31869 (CVSS score: 6.5) – SQL injection in Pimcore AdminBundle v6.8.0
  • CVE-2021-36800 (CVSS score: 8.7) – OS command injection in Akaunting v2.1.12
  • CVE-2021-36801 (CVSS score: 8.5) – Authentication bypass in Akaunting v2.1.12
  • CVE-2021-36802 (CVSS score: 6.5) – Denial-of-service via user-controlled ‘locale’ variable in Akaunting v2.1.12
  • CVE-2021-36803 (CVSS score: 6.3) – Persistent XSS during avatar upload in Akaunting v2.1.12
  • CVE-2021-36804 (CVSS score: 5.4) – Weak Password Reset in Akaunting v2.1.12
  • CVE-2021-36805 (CVSS score: 5.2) – Invoice footer persistent XSS in Akaunting v2.1.12

Successful exploitation of the flaws could enable an authenticated adversary to execute arbitrary JavaScript code, commandeer the underlying operating system and use it as a beachhead to launch additional nefarious attacks, trigger a denial-of-service via a specially-crafted HTTP request, and even change the company associated with a user account sans any authorization.

Pimcore Customer Data Framework

Also addressed in Akaunting is a weak password reset vulnerability where the attacker can abuse the “I forgot my password” functionality to send a phishing email from the application to a registered user containing a malicious link that, when clicked, delivers the password reset token. The bad actor can then use the token to set a password of their choice.

“All three of these projects have real users, real customers of their attendant support services and cloud-hosted versions, and are undoubtedly the core applications supporting thousands of small to medium businesses running today,” the researchers noted.

“For all of these issues, updating to the latest versions of the affected applications will resolve them. If updating is difficult or impossible due to external factors or custom, local changes, users of these applications can limit their exposure by not presenting their production instances to the internet directly — instead, expose them only to trusted internal networks with trusted insiders.”