Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.12 allow remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter to (1) access/logout.php or certain PHP scripts under (2) admin/, (3) dimensions/, (4) gl/, (5) inventory/, (6) manufacturing/, (7) purchasing/, (8) reporting/, (9) sales/, or (10) taxes/. NOTE: the config.php vector is already covered by CVE-2007-4279, and the login.php and language.php vectors are already covered by CVE-2007-5117. NOTE: this issue is disputed by CVE because path_to_root is defined before use in all of the other files reported in the original disclosure
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| frontaccounting | frontaccounting | 1.12 |
FrontAccounting 2.3.1 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by reporting/includes/fpdi/fpdi2tcpdf_bridge.php and certain other files.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| frontaccounting | frontaccounting | 2.3.1 |
Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.3.21 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| frontaccounting | frontaccounting | * |
| frontaccounting | frontaccounting | 2.3.13 |
| frontaccounting | frontaccounting | 2.3 |
| frontaccounting | frontaccounting | 2.3.6 |
| frontaccounting | frontaccounting | 2.3.11 |
| frontaccounting | frontaccounting | 2.3.12 |
| frontaccounting | frontaccounting | 2.3.17 |
| frontaccounting | frontaccounting | 2.3.16 |
| frontaccounting | frontaccounting | 2.3.19 |
| frontaccounting | frontaccounting | 2.3.10 |
| frontaccounting | frontaccounting | 2.3.0 |
| frontaccounting | frontaccounting | 2.3.14 |
| frontaccounting | frontaccounting | 2.3.18 |
| frontaccounting | frontaccounting | 2.3.5 |
| frontaccounting | frontaccounting | 2.3.7 |
| frontaccounting | frontaccounting | 2.3.1 |
| frontaccounting | frontaccounting | 2.3.2 |
| frontaccounting | frontaccounting | 2.3.3 |
| frontaccounting | frontaccounting | 2.3.15 |
| frontaccounting | frontaccounting | 2.3.8 |
| frontaccounting | frontaccounting | 2.3.4 |
| frontaccounting | frontaccounting | 2.3.9 |
FrontAccounting 2.4.5 contains a Time Based Blind SQL Injection vulnerability in the parameter "filterType" in /attachments.php that can allow the attacker to grab the entire database of the application.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| frontaccounting | frontaccounting | 2.4.5 |
FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page).
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-352,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| frontaccounting | frontaccounting | 2.4.3 |
includes/db/class.reflines_db.inc in FrontAccounting 2.4.6 contains a SQL Injection vulnerability in the reference field that can allow the attacker to grab the entire database of the application via the void_transaction.php filterType parameter.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| frontaccounting | frontaccounting | 2.4.6 |
An issue was discovered in FrontAccounting 2.4.7. There is a Directory Traversal vulnerability that can empty folder via admin/inst_lang.php.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.9 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N | 1.2 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| frontaccounting | frontaccounting | 2.4.7 |