PT-2021-10759 · Akaunting · Akaunting

Published

2021-06-21

Updated

2024-02-14

CVE-2020-22390

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Akaunting versions 2.0.9 and earlier

Description The issue concerns a CSV injection vulnerability in the Item name field of the export function. Attackers can inject arbitrary code into the name parameter, potentially leading to code execution when the crafted file is opened.

Recommendations For versions 2.0.9 and earlier, consider restricting the use of the export function or limiting the input allowed in the Item name field until a fix is available. As a temporary workaround, avoid using the name parameter in the export function to minimize the risk of exploitation.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1236

Related Identifiers

CVE-2020-22390

Affected Products

Akaunting

PT-2021-10759 · Akaunting · Akaunting

CVE-2020-22390

Weakness Enumeration

Related Identifiers

Affected Products

References · 4