The vulnerability in FrontAccounting prior to version 2.4.20 is a SQL injection flaw located in the get_gl_transactions() function. Specifically, the filter_type parameter is concatenated directly into a SQL IN() clause without parameterization, allowing attackers with SA_GLANALYTIC permission to inject arbitrary SQL. This injection can be exploited using a closing parenthesis followed by malicious conditions, enabling boolean-based blind SQL injection attacks that can reliably extract sensitive journal entry data by observing response size differences.

An attacker with SA_GLANALYTIC permission can exploit this vulnerability to perform SQL injection attacks, potentially extracting sensitive financial journal entry data from the database. This could lead to unauthorized disclosure of sensitive accounting information. There is no indication of privilege escalation or remote code execution from the provided data.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict SA_GLANALYTIC permissions to trusted users only and monitor for suspicious activity related to the get_gl_transactions() function. Avoid using vulnerable versions of FrontAccounting in untrusted environments.