CVE-2021-36800 : What You Need to Know

A detailed article outlining the Akaunting OS Command Injection vulnerability, its impact, technical details, and mitigation steps.

Understanding CVE-2021-36800

This CVE pertains to a code injection vulnerability in Akaunting version 2.1.12 and earlier, specifically in the Money.php component.

What is CVE-2021-36800?

Akaunting version 2.1.12 and earlier are affected by a code injection issue in the Money.php component. An attacker can exploit this vulnerability by sending a specially crafted POST request to execute PHP callable functions directly.

The Impact of CVE-2021-36800

The vulnerability has a CVSS base score of 8.7, indicating a high severity level. It can lead to a compromise of confidentiality, integrity, and privilege escalation on affected systems.

Technical Details of CVE-2021-36800

The following technical details provide insight into the vulnerability and its exploitation.

Vulnerability Description

The code injection vulnerability allows attackers to execute malicious PHP code via a crafted POST request in Akaunting version 2.1.12 and earlier.

Affected Systems and Versions

Akaunting version 2.1.12 and earlier are impacted by this vulnerability.

Exploitation Mechanism

Attackers exploit the vulnerability by including PHP callable functions in the 'items[0][price]' parameter of a POST request.

Mitigation and Prevention

To safeguard systems from the Akaunting OS Command Injection vulnerability, the following steps are recommended.

Immediate Steps to Take

Upgrade to version 2.1.13 of Akaunting to mitigate the vulnerability.

Long-Term Security Practices

Regularly monitor for security updates and apply patches promptly to prevent exploitation of known vulnerabilities.

Patching and Updates

Stay informed about security bulletins and advisories from Akaunting to address potential vulnerabilities in a timely manner.