4 matches found
USN-8408-1: Twig vulnerability
It was discovered that Twig did not properly validate PHP callables when using a source policy. An authenticated user could possibly use this issue to execute arbitrary code...
CVE-2021-36800
Akaunting version 2.1.12 and earlier suffers from a code injection issue in the Money.php component of the application. A POST sent to /companyid/sales/invoices/invoiceid with an items0price that includes a PHP callable function is executed directly. This issue was fixed in version 2.1.13 of the...
CVE-2021-36800
CVE-2021-36800 affects Akaunting v2.1.12 and earlier. A code-injection flaw in Money.php allows a crafted POST to /{company_id}/sales/invoices/{invoice_id} with items[0][price] containing a PHP callable to be executed on the server. Root cause: lack of input sanitization in Money.php, with parseA...
CVE-2021-36800 Akaunting OS Command Injection in 'Money.php'
Akaunting version 2.1.12 and earlier suffers from a code injection issue in the Money.php component of the application. A POST sent to /companyid/sales/invoices/invoiceid with an items0price that includes a PHP callable function is executed directly. This issue was fixed in version 2.1.13 of the...