CVE-2024-22836
published 2024-02-08CVE-2024-22836: An OS command injection vulnerability exists in Akaunting v3.1.3 and earlier. An attacker can manipulate the company locale when installing an app to execute…
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
30.04%
98.0th percentile
An OS command injection vulnerability exists in Akaunting v3.1.3 and earlier. An attacker can manipulate the company locale when installing an app to execute system commands on the hosting server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| akaunting | akaunting | < 3.1.4 | 3.1.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit injects an OS command into the company locale field during app installation. Monitor POST requests to the app install endpoint that contain shell metacharacters or command sequences in the locale parameter. ↗
- →The exploit uses a two-step flow: first inject_command() to plant the payload via the locale, then trigger_rce() to trigger execution by installing an app (default alias: paypal-standard, default version: 3.0.2). Detect sequential POST requests to the company settings and app install endpoints from the same session. ↗
- →The exploit targets the app install functionality with a default app alias of 'paypal-standard' and version '3.0.2'. Alert on app installation requests using these values, especially when preceded by a locale-update request in the same session. ↗
- →The exploit authenticates using the Akaunting login endpoint and tracks the akaunting_session cookie. Correlate suspicious login activity followed immediately by company locale modification and app install requests within the same session. ↗
- ·The exploit requires valid authenticated credentials to the Akaunting instance. The vulnerability is exploitable by any user with sufficient privileges to modify company settings and install apps, not just administrators — review role-based access controls. ↗
- ·The company ID is optional in the exploit (defaults to auto-discovery via get_company()). Environments with multiple companies/tenants may be vulnerable across all company contexts, not just the default one. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2024-02-08
Published