CVE-2024-22836 – This CVE describes an OS command injection vuln... (How to Fix)

Q: What is the severity of CVE-2024-22836?

CVE-2024-22836 has a CVSS score of 9.8 (CRITICAL). This CVE describes an OS command injection vulnerability in Akaunting v3.1.3 and earlier that allows attackers to execute arbitrary system commands on the hosting server by manipulating the company locale during app installation. This affects all Akaunting installations running vulnerable versions, potentially giving attackers complete control over affected systems.

📋 TL;DR

This CVE describes an OS command injection vulnerability in Akaunting v3.1.3 and earlier that allows attackers to execute arbitrary system commands on the hosting server by manipulating the company locale during app installation. This affects all Akaunting installations running vulnerable versions, potentially giving attackers complete control over affected systems.

💻 Affected Systems

Products:

Akaunting

Versions: v3.1.3 and earlier

Operating Systems: All platforms running Akaunting

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. The vulnerability requires app installation access, which may be limited by user permissions.

📦 What is this software?

Akaunting by Akaunting

View all CVEs affecting Akaunting →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing data theft, ransomware deployment, lateral movement to other systems, and complete system destruction.

🟠

Likely Case

Initial foothold leading to data exfiltration, cryptocurrency mining, or backdoor installation for persistent access.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and monitoring are in place, potentially containing to the web application container.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to app installation functionality. Public proof-of-concept exists in GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.1.4

Vendor Advisory: https://github.com/akaunting/akaunting/releases/tag/3.1.4

Restart Required: Yes

Instructions:

1. Backup your Akaunting database and files. 2. Download v3.1.4 from GitHub releases. 3. Replace existing installation files with new version. 4. Clear cache and restart web server. 5. Verify functionality.

🔧 Temporary Workarounds

Disable App Installation

all

Temporarily disable ability to install apps through Akaunting interface

# Modify Akaunting configuration or use .htaccess to restrict access to installation endpoints

Network Restriction

all

Restrict access to Akaunting installation/admin interfaces to trusted IPs only

# Example for Apache: Require ip 192.168.1.0/24
# Example for Nginx: allow 192.168.1.0/24; deny all;

🧯 If You Can't Patch

Implement strict network segmentation to isolate Akaunting server from critical systems
Deploy web application firewall with command injection detection rules

🔍 How to Verify

Check if Vulnerable:

Check Akaunting version in admin panel or by examining version files. Versions 3.1.3 and earlier are vulnerable.

Check Version:

php artisan version

Verify Fix Applied:

Verify version is 3.1.4 or later in admin panel and test app installation functionality with malicious locale input.

📡 Detection & Monitoring

Log Indicators:

Unusual system commands in web server logs
Multiple failed app installation attempts
Suspicious locale parameters in POST requests

Network Indicators:

Outbound connections from web server to unusual destinations
Command and control traffic patterns

SIEM Query:

source="web_server" AND (url="*install*" OR url="*app*install*") AND (param="*locale*" OR param="*;*" OR param="*|*" OR param="*`*")

📊 Metadata

CVE ID: CVE-2024-22836

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: February 8, 2024

Last Updated: June 20, 2025

🔗 References

https://akaunting.com/ Product
https://github.com/akaunting/akaunting/releases/tag/3.1.4 Release Notes
https://github.com/u32i/cve/tree/main/CVE-2024-22836 Third Party Advisory
https://akaunting.com/ Product
https://github.com/akaunting/akaunting/releases/tag/3.1.4 Release Notes
https://github.com/u32i/cve/tree/main/CVE-2024-22836 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22836, you might also want to check these: