CVE-2009-4046

Name of the Vulnerable Software and Affected Versions FrontAccounting versions 2.2.x before 2.2 RC

Description The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via unspecified parameters to various API endpoints, including "bank accounts.php", "currencies.php", "exchange rates.php", "gl account types.php", and "gl accounts.php" in the "gl/manage/" directory, as well as "audit trail db.inc", "comments db.inc", "inventory db.inc", "manufacturing db.inc", and "references db.inc" in the "includes/db/" directory.

Recommendations For FrontAccounting versions 2.2.x before 2.2 RC, update to version 2.2 RC or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints and database includes until the update can be applied. Avoid using unspecified parameters in the affected endpoints until the issue is resolved.