alphaspirit - Fotolia
Security researchers are applauding the quick resolution of a set of nine vulnerabilities present in three popular open source web applications for small and medium-sized businesses.
The team at threat intelligence vendor Rapid7 reported the flaws in Pimcore, Akaunting and EspoCRM web apps to their respective developers, and in each case the vulnerabilities were fixed within 24 hours of their respective reporting. The discovery of the vulnerabilities was credited to Trevor Christiansen of Rapid7 and Wiktor Sędkowski of Nokia.
Thanks to the developers making the quick turnaround on fixes, Rapid7 said the public was shielded from the vulnerabilities long before anyone could make them public or exploit them.
"While it's never great to learn of new vulnerabilities in your own product, all three project maintainers accepted, validated, and provided fixes for these vulnerabilities within one day, which is amazing when it comes to vulnerability disclosure," Rapid7 research director Tod Beardsley wrote in a blog post.
Beardsley told SearchSecurity that, in general, open source developers are much more responsive than their counterparts when it comes to cleaning up security flaws.
"Often, they appear to acknowledge, reproduce, fix, and patch all in the space of a few days at the outside, and sometimes inside one day," Beardsley wrote in an email. "There's really no comparison to closed/proprietary software, which tend to use all of the 60 days we prefer for validations and fixes."
The nine bugs range from cross-site scripting and denial of service to SQL injection and authentication bypass.
The bulk of the bugs were found in Akaunting, which, as its name suggests, is an open source accounting application that is particularly popular with retailers. Six flaws were found in total, with Common Vulnerability Scoring System scores ranging from 5.2 (moderate) to 8.3 (high). The most serious of the flaws is CVE-2021-36800, a code injection flaw. CVE-2021-36801 enables authentication bypass and is also considered high-risk.
Of lower risk, but still very much worth patching, are a denial of service bug (CVE-2021-36802), a pair of cross-site scripting (XSS) flaws (CVE-2021-36803 and CVE-2021-36805), and a weak password reset error (CVE-2021-36804).
For EspoCRM, an open source customer resource management application, attackers would have been able to set up persistent XSS attacks thanks to a single vulnerability (CVE-2021-3539). The flaw was addressed with the version 6.1.7 update.
Pimcore, another open source CRM tool, was host to a pair of vulnerabilities in its Pimcore Customer Data Framework and Admin Bundle. They included CVE-2021-31867 and CVE-2021-31869, which are SQL injection vulnerabilities. The Customer Data Framework 3.0.2 update and Admin Bundle version 6.9.4 address both flaws.