CVE-2021-36804: 
PHP vulnerability analysis and mitigation

CVE-2021-36804 is a password reset spoofing vulnerability affecting Akaunting version 2.1.12 and earlier. The vulnerability was discovered and reported through Rapid7's Bug Bounty program and was fixed in version 2.1.13. The issue allows an attacker to proxy password reset requests through a running Akaunting instance if they know the target's email address (Rapid7 Blog).

The vulnerability has a CVSS v3.1 base score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. The issue stems from how proxy headers are handled with respect to multi-tenant implementations in the Laravel framework defaults, specifically in relation to how the X-Forwarded-Host header is processed (Laravel PR).

If successfully exploited, an attacker can abuse the password reset functionality to send phishing emails from the application to registered users. When the user clicks on the password reset URL in the email, their password reset token is sent to a website controlled by the attacker, allowing the attacker to set a new password (Rapid7 Blog).

The vulnerability was fixed in Akaunting version 2.1.13. Users should upgrade to this or a later version. For those unable to upgrade immediately, a temporary mitigation is to ensure proper configuration of proxy headers at the reverse proxy level or implement strict host header validation (Rapid7 Blog).

The vulnerability disclosure was well-received by the open-source community, with the Akaunting project maintainers responding and providing fixes within one day of notification. The issue sparked discussions about security-by-default approaches in web frameworks, particularly regarding proxy header handling (Laravel PR).