Akaunting 3.1.8 - Server-Side Template Injection (SSTI)

vendor:

Akaunting

by:

tmrswrr

6.1

CVSS

HIGH

Server-Side Template Injection (SSTI)

CWE

Product Name: Akaunting

Affected Version From: 3.1.2008

Affected Version To: 3.1.2008

Patch Exists: NO

Related CWE:

CPE: a:akaunting:akaunting:3.1.8

Metasploit:

Other Scripts:

Platforms Tested:

2024

Akaunting 3.1.8 – Server-Side Template Injection (SSTI)

The Akaunting version 3.1.8 is vulnerable to Server-Side Template Injection (SSTI) where an attacker can inject payload like {{7*7}} in various input fields resulting in arbitrary code execution.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user inputs and restrict the use of dynamic template rendering.

Source

Akaunting 3.1.8 – Server-Side Template Injection (SSTI)

Mitigation:

Exploit-DB raw data: