What is the severity of CVE-2021-36804?

CVE-2021-36804 has a medium severity rating due to the potential for unauthorized password reset functionality.

How do I fix CVE-2021-36804?

To fix CVE-2021-36804, upgrade Akaunting to version 2.1.13 or later.

What impacts does CVE-2021-36804 have on affected systems?

CVE-2021-36804 allows attackers to proxy password reset requests, potentially compromising user accounts.

Who is affected by CVE-2021-36804?

Users of Akaunting version 2.1.12 and earlier are affected by CVE-2021-36804.

What are the symptoms of an exploit of CVE-2021-36804?

Exploitation of CVE-2021-36804 may result in unauthorized password resets and account access.

Vulnerability/
CVE-2021-36804

high

8.1

CWE

640

4/8/2021

16/9/2024

CVE-2021-36804: Akaunting Password Reset Relay

First published: Wed Aug 04 2021(Updated: )

Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target's e-mail address. This issue was fixed in version 2.1.13 of the product. Please note that this issue is ultimately caused by the defaults provided by the Laravel framework, specifically how proxy headers are handled with respect to multi-tenant implementations. In other words, while this is not technically a vulnerability in Laravel, this default configuration is very likely to lead to practically identical identical vulnerabilities in Laravel projects that implement multi-tenant applications.

Credit: cve@rapid7.con

Affected Software	Affected Version	How to fix
Akaunting Akaunting	<2.1.13

Remedy

https://github.com/laravel/laravel/pull/5477

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2021-36804?
CVE-2021-36804 has a medium severity rating due to the potential for unauthorized password reset functionality.
How do I fix CVE-2021-36804?
To fix CVE-2021-36804, upgrade Akaunting to version 2.1.13 or later.
What impacts does CVE-2021-36804 have on affected systems?
CVE-2021-36804 allows attackers to proxy password reset requests, potentially compromising user accounts.
Who is affected by CVE-2021-36804?
Users of Akaunting version 2.1.12 and earlier are affected by CVE-2021-36804.
What are the symptoms of an exploit of CVE-2021-36804?
Exploitation of CVE-2021-36804 may result in unauthorized password resets and account access.

collector/nvd-index
agent/softwarecombine
agent/type
agent/title
agent/severity
agent/references
agent/author
agent/remedy
agent/weakness
agent/description
agent/tags
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/first-publish-date
agent/event
agent/source
vendor/akaunting
canonical/akaunting akaunting

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.