CVE-2009-4037

critical

Description

Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.1.7, and 2.2.x before 2.2 RC, allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) admin/db/users_db.inc, and various other .inc and .php files under (2) admin/, (3) dimensions/, (4) gl/, (5) inventory/, (6) manufacturing/, and (7) purchasing/.

References

http://www.vupen.com/english/advisories/2009/3223

http://sourceforge.net/projects/frontaccounting/files/FrontAccounting-2/2.2%20RC/frontaccount-2.2RC.tar.gz/download

http://sourceforge.net/projects/frontaccounting/files/FrontAccounting-2/2.1.7/frontaccount-2.1.7.tar.gz/download

http://secunia.com/advisories/37327

http://frontaccounting.net/wb3/pages/posts/release-2.2-rc104.php

http://frontaccounting.net/wb3/pages/posts/2.1.7-security-release103.php

Details

Source: Mitre, NVD

Published: 2009-11-20

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00706