CVE-2021-36804— Akaunting Password Reset Relay
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-36804
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Akaunting Password Reset Relay
Source: NVD (National Vulnerability Database)
Vulnerability Description
Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target's e-mail address. This issue was fixed in version 2.1.13 of the product. Please note that this issue is ultimately caused by the defaults provided by the Laravel framework, specifically how proxy headers are handled with respect to multi-tenant implementations. In other words, while this is not technically a vulnerability in Laravel, this default configuration is very likely to lead to practically identical identical vulnerabilities in Laravel projects that implement multi-tenant applications.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
忘记口令恢复机制弱
Source: NVD (National Vulnerability Database)
Vulnerability Title
Akaunting 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Akaunting是Akaunting公司的一个应用软件提供一个在线管理资金所需的所有工具。 Akaunting 2.1.12及之前版本存在授权问题漏洞。如果攻击者知道目标的电子邮件地址,则可以通过正在运行的Akaunting实例代理密码重置请求。该问题已在2.1.13版本中修复.
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2021-36804
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-36804
请登录查看更多情报信息。
- https://github.com/laravel/laravel/pull/5477x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2021-36804
Same Patch Batch · Akaunting · 2021-08-04 · 6 CVEs total
| CVE-2021-36800 | 8.7 HIGH | Akaunting OS Command Injection in 'Money.php' |
| CVE-2021-36801 | 8.1 HIGH | Akaunting Authentication Bypass in Company Selection |
| CVE-2021-36802 | 6.5 MEDIUM | Akaunting DoS via User-Controlled 'locale' Variable |
| CVE-2021-36803 | 6.3 MEDIUM | Akaunting Avatar Persistent XSS |
| CVE-2021-36805 | 5.2 MEDIUM | Akaunting Invoice Footer Persistent XSS |
IV. Related Vulnerabilities
Same product: Akaunting
- CVE-2026-8193
Akaunting Invoice PDF Rendering dompdf.php server-side reque - CVE-2026-5568
Akaunting Invoice/Billing cross site scripting - CVE-2024-58293
Akaunting 3.1.8 Server-Side Template Injection via Multiple - CVE-2021-36805
Akaunting Invoice Footer Persistent XSS - CVE-2021-36803
Akaunting Avatar Persistent XSS
Same vendor: Akaunting
- CVE-2024-58293
Akaunting 3.1.8 Server-Side Template Injection via Multiple - CVE-2021-36805
Akaunting Invoice Footer Persistent XSS - CVE-2021-36803
Akaunting Avatar Persistent XSS - CVE-2021-36802
Akaunting DoS via User-Controlled 'locale' Variable - CVE-2021-36801
Akaunting Authentication Bypass in Company Selection
Same weakness: CWE-640
V. Comments for CVE-2021-36804
No comments yet