Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable with low complexity but needs the SA_GLANALYTIC privilege (PR:L); read-only blind data extraction yields C:H with no integrity or availability impact, contrary to the input's VA:H.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the get_gl_transactions() function where the filter_type parameter is concatenated directly into a SQL IN() clause without parameterization. Attackers with SA_GLANALYTIC permission can inject arbitrary SQL by supplying a closing parenthesis followed by malicious conditions to extract sensitive journal entry data through boolean-based blind SQL injection with reliable response size differentials.
AnalysisAI
SQL injection in FrontAccounting's get_gl_transactions() function lets authenticated users holding the SA_GLANALYTIC permission read arbitrary database contents by injecting into the unparameterized filter_type parameter of a SQL IN() clause. The flaw enables boolean-based blind extraction of sensitive journal-entry and general-ledger data using reliable response-size differentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated FrontAccounting account holding the SA_GLANALYTIC permission and access to the general-ledger analytics report that invokes get_gl_transactions(); the attacker must control the filter_type parameter, which the code passes unparameterized into a SQL IN() clause. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are moderately consistent and point to a real but bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has been granted (or has compromised an account with) the SA_GLANALYTIC permission opens the general-ledger analytics report and submits a crafted filter_type value such as a closing parenthesis followed by an injected OR/AND condition. Because the input is concatenated into the IN() clause, the application returns measurably different response sizes for true versus false conditions, letting the attacker iteratively extract journal entries and other database contents bit by bit. … |
| Remediation | Vendor-released patch: upgrade to FrontAccounting 2.4.20 or later, which parameterizes the filter_type input; the corresponding code change is the upstream commit at https://github.com/FrontAccountingERP/FA/commit/647a18196caad27f96ea852e993c9e30f815357f and the release notes are at https://sourceforge.net/p/frontaccounting/news/2026/04/release-2420/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all FrontAccounting deployments and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Frontaccounting
View allincludes/db/class.reflines_db.inc in FrontAccounting 2.4.6 contains a SQL Injection vulnerability in the reference field
Remote code execution in FrontAccounting before 2.4.20 lets an authenticated user abuse the attachment upload handler to
FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php (aka the "add u
Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.3.21 allow remote attackers to execute arbitrary
FrontAccounting 2.4.5 contains a Time Based Blind SQL Injection vulnerability in the parameter "filterType" in /attachme
SQL injection in FrontAccounting's Audit Trail report handler (reporting/rep710.php) lets authenticated users holding th
SQL injection in FrontAccounting before 2.4.20 allows authenticated attackers to extract arbitrary database contents by
An issue was discovered in FrontAccounting 2.4.7. Rated medium severity (CVSS 4.9), this vulnerability is remotely explo
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40079
GHSA-w5j4-x499-pfwp