Threat Intelligence Database

FrontAccounting versions before 2.4.20 contain a SQL injection vulnerability in the Bank Statement report handler. Authenticated attackers can exploit this by injecting UNION SELECT payloads into the PARAM_0 POST parameter. This allows extraction of arbitrary database data, including sensitive user information such as usernames, password hashes, and email addresses, which are rendered in the PDF report output.

FrontAccounting versions before 2.4.20 have a SQL injection vulnerability in the Audit Trail report handler. Authenticated users with SA_GLANALYTIC permission can inject malicious SQL code via the PARAM_2 and PARAM_3 POST parameters. This vulnerability allows execution of arbitrary SQL queries, enabling data extraction or denial of service through amplified time-based blind SQL injection using SLEEP() functions.

FrontAccounting versions before 2.4.20 have a path traversal vulnerability in the attachment upload handler. Authenticated attackers can exploit this by uploading files with traversal sequences in the unique_name parameter, allowing them to write files outside the intended directory into the web root. By uploading PHP files without extension validation, attackers can achieve remote code execution as the web server user.

FrontAccounting versions before 2.4.20 have a SQL injection vulnerability in the get_gl_transactions() function. The vulnerability arises because the filter_type parameter is directly concatenated into a SQL IN() clause without proper parameterization. Attackers with SA_GLANALYTIC permission can exploit this to perform boolean-based blind SQL injection, potentially extracting sensitive journal entry data.