CVE-2021-36804

Name of the Vulnerable Software and Affected Versions Akaunting versions 2.1.12 and earlier

Description The issue allows an attacker to proxy password reset requests through a running Akaunting instance if the attacker knows the target's e-mail address. This is caused by the defaults provided by the Laravel framework, specifically how proxy headers are handled with respect to multi-tenant implementations. Although this is not technically a vulnerability in Laravel, the default configuration can lead to similar vulnerabilities in Laravel projects that implement multi-tenant applications.

Recommendations For Akaunting versions 2.1.12 and earlier, update to version 2.1.13 to resolve the issue. As a temporary workaround, consider restricting access to the password reset functionality until the update is applied. Additionally, review and adjust the configuration of proxy headers in multi-tenant implementations to prevent similar issues.