Executive Summary
A path traversal vulnerability was discovered in FrontAccounting before version 2.4.20. This vulnerability allows authenticated attackers to execute arbitrary code by uploading files with traversal sequences in the unique_name parameter. The vulnerability has a CVSS score of 8.8 and is considered high severity.
Technical Analysis
The vulnerability is a path traversal vulnerability in the attachment upload handler of FrontAccounting. Attackers can supply path traversal sequences ../../../shell.php to write files outside the intended attachments directory into the web root. By uploading PHP files without extension validation, attackers can achieve remote code execution as the web server user.
How It Gets Exploited
An authenticated attacker with low privileges can exploit this vulnerability by uploading a file with a traversal sequence in the unique_name parameter. For example, an attacker can supply ../../../shell.php as the unique_name parameter to write a file outside the intended attachments directory into the web root. Since FrontAccounting does not validate file extensions, an attacker can upload a PHP file to achieve remote code execution as the web server user.
Impact Assessment
FrontAccounting versions before 2.4.20 are affected by this vulnerability. An attacker can achieve remote code execution as the web server user, which can lead to high impact on confidentiality, integrity, and availability. The CVSS score of 8.8 indicates a high severity vulnerability.
Recommended Actions
To mitigate this vulnerability, it is recommended to update FrontAccounting to version 2.4.20 or later. Additionally, users can implement input validation and file extension validation to prevent similar attacks. It is also recommended to monitor the system for suspicious file uploads and implement a web application firewall (WAF) to detect and prevent exploitation attempts.
Sources
- National Vulnerability Database (NVD)
-
[email protected]
- https://github.com/FrontAccountingERP/FA/commit/701fea6848da4a02fb83d30f07a9c0473d6b7e33
- https://jivasecurity.com/writeups/frontaccounting-rce-attachment-upload-cve-2026-40521
- https://sourceforge.net/p/frontaccounting/news/2026/04/release-2420/
- https://www.vulncheck.com/advisories/frontaccounting-path-traversal-rce-via-attachment-upload