Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Frontaccounting Subscribe
Filtered by product Frontaccounting
Total 12 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-21244 1 Frontaccounting 1 Frontaccounting 2020-10-14 5.5 MEDIUM 4.9 MEDIUM
An issue was discovered in FrontAccounting 2.4.7. There is a Directory Traversal vulnerability that can empty folder via admin/inst_lang.php.
CVE-2018-1000890 1 Frontaccounting 1 Frontaccounting 2019-01-30 5.0 MEDIUM 7.5 HIGH
FrontAccounting 2.4.5 contains a Time Based Blind SQL Injection vulnerability in the parameter "filterType" in /attachments.php that can allow the attacker to grab the entire database of the application.
CVE-2019-5720 1 Frontaccounting 1 Frontaccounting 2019-01-30 7.5 HIGH 9.8 CRITICAL
includes/db/class.reflines_db.inc in FrontAccounting 2.4.6 contains a SQL Injection vulnerability in the reference field that can allow the attacker to grab the entire database of the application via the void_transaction.php filterType parameter.
CVE-2018-7176 1 Frontaccounting 1 Frontaccounting 2018-03-14 6.8 MEDIUM 8.8 HIGH
FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page).
CVE-2007-4279 1 Frontaccounting 1 Frontaccounting 2017-10-18 7.5 HIGH N/A
PHP remote file inclusion vulnerability in config.php in FrontAccounting 1.12 Build 31 allows remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter.
CVE-2007-5117 1 Frontaccounting 1 Frontaccounting 2017-10-18 9.3 HIGH N/A
Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.13, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter to (1) access/login.php and (2) includes/lang/language.php, different vectors than CVE-2007-4279.
CVE-2014-3973 1 Frontaccounting 1 Frontaccounting 2014-06-06 7.5 HIGH N/A
Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.3.21 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2011-3740 1 Frontaccounting 1 Frontaccounting 2012-03-11 5.0 MEDIUM N/A
FrontAccounting 2.3.1 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by reporting/includes/fpdi/fpdi2tcpdf_bridge.php and certain other files.
CVE-2009-4046 1 Frontaccounting 1 Frontaccounting 2009-11-22 7.5 HIGH N/A
Multiple SQL injection vulnerabilities in FrontAccounting (FA) 2.2.x before 2.2 RC allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) bank_accounts.php, (2) currencies.php, (3) exchange_rates.php, (4) gl_account_types.php, and (5) gl_accounts.php in gl/manage/; and (6) audit_trail_db.inc, (7) comments_db.inc, (8) inventory_db.inc, (9) manufacturing_db.inc, and (10) references_db.inc in includes/db/.
CVE-2009-4045 1 Frontaccounting 1 Frontaccounting 2009-11-22 7.5 HIGH N/A
Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.1.7 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to various .inc and .php files in (1) reporting/, (2) sales/, (3) sales/includes/, (4) sales/includes/db/, (5) sales/inquiry/, (6) sales/manage/, (7) sales/view/, (8) taxes/, and (9) taxes/db/.
CVE-2009-4037 1 Frontaccounting 1 Frontaccounting 2009-11-22 7.5 HIGH N/A
Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.1.7, and 2.2.x before 2.2 RC, allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) admin/db/users_db.inc, and various other .inc and .php files under (2) admin/, (3) dimensions/, (4) gl/, (5) inventory/, (6) manufacturing/, and (7) purchasing/.
CVE-2007-5148 1 Frontaccounting 1 Frontaccounting 2008-11-14 6.8 MEDIUM N/A
** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.12 allow remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter to (1) access/logout.php or certain PHP scripts under (2) admin/, (3) dimensions/, (4) gl/, (5) inventory/, (6) manufacturing/, (7) purchasing/, (8) reporting/, (9) sales/, or (10) taxes/. NOTE: the config.php vector is already covered by CVE-2007-4279, and the login.php and language.php vectors are already covered by CVE-2007-5117. NOTE: this issue is disputed by CVE because path_to_root is defined before use in all of the other files reported in the original disclosure.