Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable report endpoint with low complexity, but requires an authenticated SA_GLANALYTIC account (PR:L); UNION data theft gives C:H and JOIN-amplified SLEEP() DoS gives A:H, with no integrity change (I:N).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Audit Trail report handler that allows authenticated attackers with SA_GLANALYTIC permission to execute arbitrary SQL queries by injecting malicious code into the PARAM_2 and PARAM_3 POST parameters. Attackers can exploit time-based blind SQL injection through SLEEP() functions that are amplified across JOIN result sets to cause denial of service by exhausting database connections, or extract arbitrary database content through UNION-based injection techniques.
AnalysisAI
SQL injection in FrontAccounting's Audit Trail report handler (reporting/rep710.php) lets authenticated users holding the SA_GLANALYTIC permission run arbitrary SQL through the PARAM_2 and PARAM_3 POST parameters in all releases prior to 2.4.20. Attackers can extract arbitrary database contents via UNION-based injection or knock the application offline by amplifying SLEEP() across JOINed result sets to exhaust database connections. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated FrontAccounting session whose user holds the SA_GLANALYTIC permission (the privilege gating the Audit Trail report) and access to the reporting/rep710.php Audit Trail report handler, where the malicious payload is placed in the PARAM_2 and PARAM_3 POST parameters. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H, base 7.2) describes a network-reachable, low-complexity attack requiring low privileges and no user interaction, yielding high confidentiality and availability impact with no integrity impact - consistent with read-oriented UNION data theft plus connection-exhaustion DoS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A disgruntled accounting clerk, or an external attacker who has phished a low-privilege FrontAccounting login that carries SA_GLANALYTIC, opens the Audit Trail report and submits a crafted POST request placing a UNION SELECT into PARAM_2/PARAM_3 to dump user password hashes and financial records. Alternatively the same actor injects a JOIN-amplified SLEEP() payload to saturate the database connection pool and take the application offline. … |
| Remediation | Vendor-released patch: upgrade to FrontAccounting 2.4.20, which contains the fix (commit 647a18196caad27f96ea852e993c9e30f815357f; release notes at https://sourceforge.net/p/frontaccounting/news/2026/04/release-2420/). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all FrontAccounting deployments and identify users granted SA_GLANALYTIC permission. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Frontaccounting
View allincludes/db/class.reflines_db.inc in FrontAccounting 2.4.6 contains a SQL Injection vulnerability in the reference field
Remote code execution in FrontAccounting before 2.4.20 lets an authenticated user abuse the attachment upload handler to
FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add u
Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.3.21 allow remote attackers to execute arbitrary
FrontAccounting 2.4.5 contains a Time Based Blind SQL Injection vulnerability in the parameter "filterType" in /attachme
SQL injection in FrontAccounting's get_gl_transactions() function lets authenticated users holding the SA_GLANALYTIC per
SQL injection in FrontAccounting before 2.4.20 allows authenticated attackers to extract arbitrary database contents by
An issue was discovered in FrontAccounting 2.4.7. Rated medium severity (CVSS 4.9), this vulnerability is remotely explo
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40080
GHSA-8ccm-j5hq-9jhr