Sign In
Advisories

Akaunting 3.1.8 Server-Side Template Injection via Multiple Form Fields

Go Back
severity
high
date
Affecting

  • Akaunting 3.1.8

CWE
  • CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine
CVSS
8.6
CVSS V4 Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Credit
tmrswrr
Description
Akaunting 3.1.8 contains a server-side template injection vulnerability that allows authenticated administrators to execute template expressions in multiple form input fields. Attackers can inject template payloads in items, taxes, transactions, and vendor name fields to perform arithmetic operations and string manipulations.