9 Security Bugs Found in 3 Open Source Projects Used by Several Organizations

Recently, 3 open-source projects that are EspoCRM, Pimcore, and Akaunting have been affected by 9 vulnerabilities, and all these 3 open-source projects were extensively used by different small as well as medium businesses.

Not only this but if these projects get successfully exploited, then it might allow a hacker to implement a way that leads to the execution of more sophisticated attacks.

Vulnerability Classes

However, this kind of vulnerability indicates that nowadays the web applications enterprises are dealing with common web application vulnerabilities. 

After investigating the vulnerabilities, the experts pronounced that in this kind of attack the malicious user easily shoots a bit of browser-executable code in the application.

The browser code application is specifically designed to recline in wait and then trigger when someone tries to loads that code. 

While the 3 projects are the model of examples of persistent cross-site scripting (XSS) and apart from this among the 9 vulnerabilities, 2 of them are SQL injection (SQLi) vulnerabilities.

In SQL vulnerabilities, the threat actor utilizes the web application as a means of the complicated portal that generally issues uninterrupted commands to the backing database, and all these are done with the motive of stealing data or creating powerful web-app users.

List of vulnerabilities

After investigating the attack, the cybersecurity researchers have listed all the 9 vulnerabilities, and here we have mentioned the list below:-

  • CVE-2021-3539 is a Persistent XSS flaw in EspoCRM v6.1.6 with a CVSS score of 6.3.
  • CVE-2021-31867 is a SQL injection in Pimcore Customer Data Framework v3.0.0 with a CVSS score of 6.5.
  • CVE-2021-31869 is a Pimcore AdminBundle v6.8.0 with a CVSS score of 6.5.
  • CVE-2021-36800 is an OS command injection in Akaunting v2.1.12 with a CVSS score of 8.7.
  • CVE-2021-36801 is an Authentication bypass in Akaunting v2.1.12 with a CVSS score of 8.5.
  • CVE-2021-36802 is a Denial-of-service via user-controlled ‘locale’ variable in Akaunting v2.1.12 with a CVSS score of 6.5.
  • CVE-2021-36803 is a Persistent XSS during avatar upload in Akaunting v2.1.12 with a CVSS score of 6.3.
  • CVE-2021-36804 is a Weak Password Reset in Akaunting v2.1.12 with a CVSS score of 5.4.
  • CVE-2021-36805 is an Invoice footer persistent XSS in Akaunting v2.1.12 with a CVSS score of 5.2.


Initially, the security researchers have affirmed that for all these kinds of vulnerabilities enterprises must keep them updated, and that’s why the users must update to the latest versions to keep themselves safe. 

There are some other methods to bypass these vulnerabilities like the users of these applications can restrict their appearance by not impersonating their stock occurrences all over the internet.

However, the users can expose themselves only to the trusted internal networks that have trusted insiders. According to the report, the EspoCRM was reported on May 4, 2021, and it has been patched on May 5.

While the vulnerability in Akaunting has been reported on May 13 and turned around on May 14, and Pimcore fortified its vulnerabilities on April 29 after determining about them on April 28, 2021.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.