CVE-2021-36800

Name of the Vulnerable Software and Affected Versions Akaunting versions 2.1.12 and earlier

Description The issue is related to a code injection problem in the Money.php component of the application. It can be exploited by sending a POST request to the "/{company id}/sales/invoices/{invoice id}" endpoint with an items[0][price] that includes a PHP callable function, which is then executed directly. This can potentially impact the confidentiality, integrity, and availability of protected information.

Recommendations For versions 2.1.12 and earlier, update to version 2.1.13 to resolve the issue. As a temporary workaround, consider restricting access to the Money.php component and the "/{company id}/sales/invoices/{invoice id}" endpoint to minimize the risk of exploitation. Avoid using the items[0][price] parameter in the affected API endpoint until the issue is resolved.