cvedb.io
CVE-2021-36804
MEDIUM · CVSS 5.4
EPSS exploitation probability: 0%
Published 2021-08-04T23:15:08.243 · Last modified 2026-06-17T03:59:27.923

Summary

Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target's e-mail address. This issue was fixed in version 2.1.13 of the product. Please note that this issue is ultimately caused by the defaults provided by the Laravel framework, specifically how proxy headers are handled with respect to multi-tenant implementations. In other words, while this is not technically a vulnerability in Laravel, this default configuration is very likely to lead to practically identical identical vulnerabilities in Laravel projects that implement multi-tenant applications.

Affected products

akaunting — akaunting

Does this affect you?

Add your gear to cvedb and we'll alert you only when akaunting ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.