Open source web app projects hailed for quickly patching bugs

Security researchers are applauding the quick resolution of a set of nine vulnerabilities present in three popular open source web applications for small and medium-sized businesses.

The team at threat intelligence vendor Rapid7 reported the flaws in Pimcore, Akaunting and EspoCRM web apps to their respective developers, and in each case the vulnerabilities were fixed within 24 hours of their respective reporting. The discovery of the vulnerabilities were credited to Trevor Christiansen of Rapid7 and Wiktor Sędkowski of Nokia. 

Thanks to the developers making the quick turnaround on fixes, Rapid7 said the vulnerabilities were shielded from the public long before anyone could make them public or exploit them.

"While it's never great to learn of new vulnerabilities in your own product, all three project maintainers accepted, validated, and provided fixes for these vulnerabilities within one day, which is amazing when it comes to vulnerability disclosure," Rapid7 research director Tod Beardsley wrote in a blog post. 

Beardsley told SearchSecurity that, in general, open source developers are much more responsive than their counterparts when it comes to cleaning up security flaws.

"Often, they appear to acknowledge, reproduce, fix, and patch all in the space of a few days at the outside, and sometimes inside one day," Beardsley said in an email. "There's really no comparison to closed/proprietary software, which tend to use all of the 60 days we prefer for validations and fixes."

The nine total bugs range from cross-site scripting and denial of service to SQL injection and authentication bypass.

The bulk of the bugs were found in Akaunting, which as its name suggests is an open source accounting application that is particularly popular with retailers. Six flaws were found in total, with CVSS scores ranging from 5.2 (moderate) to 8.3 (high). The most serious of the flaws is CVE-2021-36800, a code injection flaw. CVE-2021-36801 allows authentication bypass and is also considered high-risk.

Of lower risk, but still very much worth patching, are a denial of service bug (CVE-2021-36802), a pair of cross-site scripting flaws (CVE-2021-36803, CVE-2021-36805), and a weak password reset error (CVE-2021-36804).

For EspoCRM, an open source customer resource management application, attackers would have been able to set up persistent cross-site scripting attacks thanks to a single vulnerability (CVE-2021-3539). The flaw was addressed with the version 6.1.7 update.

 Pimcore, another open source CRM tool, was host to a pair of vulnerabilities in its Pimcore Customer Data Framework and Admin Bundle. They included CVE-2021-31867 and CVE-2021-31869, both are SQL injection vulnerabilities. The Customer Data Framework 3.0.2 update and Admin Bundle version 6.9.4 address both flaws.