MidnightBSD

Advisories for frontaccounting

CVE-2007-5148 MEDIUM

Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.12 allow remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter to (1) access/logout.php or certain PHP scripts under (2) admin/, (3) dimensions/, (4) gl/, (5) inventory/, (6) manufacturing/, (7) purchasing/, (8) reporting/, (9) sales/, or (10) taxes/. NOTE: the config.php vector is already covered by CVE-2007-4279, and the login.php and language.php vectors are already covered by CVE-2007-5117. NOTE: this issue is disputed by CVE because path_to_root is defined before use in all of the other files reported in the original disclosure

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
frontaccounting frontaccounting 1.12
CVE-2011-3740 MEDIUM

FrontAccounting 2.3.1 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by reporting/includes/fpdi/fpdi2tcpdf_bridge.php and certain other files.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
frontaccounting frontaccounting 2.3.1
CVE-2014-3973 HIGH

Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.3.21 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
frontaccounting frontaccounting *
frontaccounting frontaccounting 2.3.13
frontaccounting frontaccounting 2.3
frontaccounting frontaccounting 2.3.6
frontaccounting frontaccounting 2.3.11
frontaccounting frontaccounting 2.3.12
frontaccounting frontaccounting 2.3.17
frontaccounting frontaccounting 2.3.16
frontaccounting frontaccounting 2.3.19
frontaccounting frontaccounting 2.3.10
frontaccounting frontaccounting 2.3.0
frontaccounting frontaccounting 2.3.14
frontaccounting frontaccounting 2.3.18
frontaccounting frontaccounting 2.3.5
frontaccounting frontaccounting 2.3.7
frontaccounting frontaccounting 2.3.1
frontaccounting frontaccounting 2.3.2
frontaccounting frontaccounting 2.3.3
frontaccounting frontaccounting 2.3.15
frontaccounting frontaccounting 2.3.8
frontaccounting frontaccounting 2.3.4
frontaccounting frontaccounting 2.3.9
CVE-2018-1000890 MEDIUM

FrontAccounting 2.4.5 contains a Time Based Blind SQL Injection vulnerability in the parameter "filterType" in /attachments.php that can allow the attacker to grab the entire database of the application.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
frontaccounting frontaccounting 2.4.5
CVE-2018-7176 MEDIUM

FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
frontaccounting frontaccounting 2.4.3
CVE-2019-5720 HIGH

includes/db/class.reflines_db.inc in FrontAccounting 2.4.6 contains a SQL Injection vulnerability in the reference field that can allow the attacker to grab the entire database of the application via the void_transaction.php filterType parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
frontaccounting frontaccounting 2.4.6
CVE-2020-21244 MEDIUM

An issue was discovered in FrontAccounting 2.4.7. There is a Directory Traversal vulnerability that can empty folder via admin/inst_lang.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
frontaccounting frontaccounting 2.4.7