SCA: security update for akaunting/akaunting (GHSA-246r-r2wf-frhx)

high Tenable Self-Hosted Container Security Plugin ID 408662

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an
attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows
the target's e-mail address. This issue was fixed in version 2.1.13 of the product. Please note that this
issue is ultimately caused by the defaults provided by the Laravel framework, specifically how proxy
headers are handled with respect to multi-tenant implementations. In other words, while this is not
technically a vulnerability in Laravel, this default configuration is very likely to lead to practically
identical identical vulnerabilities in Laravel projects that implement multi-tenant applications.
(CVE-2021-36804)

See Also

https://github.com/advisories/GHSA-246r-r2wf-frhx

Plugin Details

Severity: High

ID: 408662

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.04

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2021-36804

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/1/2021

Vulnerability Publication Date: 7/27/2021

Reference Information

CVE: CVE-2021-36804

cwe: CWE-640