Akaunting Password Reset Relay

Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target's e-mail address. This issue was fixed in version 2.1.13 of the product. Please note that this issue is ultimately caused by the defaults provided by the Laravel framework, specifically how proxy headers are handled with respect to multi-tenant implementations. In other words, while this is not technically a vulnerability in Laravel, this default configuration is very likely to lead to practically identical identical vulnerabilities in Laravel projects that implement multi-tenant applications.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

忘记口令恢复机制弱

Akaunting 授权问题漏洞

Akaunting是Akaunting公司的一个应用软件提供一个在线管理资金所需的所有工具。 Akaunting 2.1.12及之前版本存在授权问题漏洞。如果攻击者知道目标的电子邮件地址，则可以通过正在运行的Akaunting实例代理密码重置请求。该问题已在2.1.13版本中修复.

N/A

N/A