DOM cross-site scripting of authenticated users in LedgerSMB
Summary
LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.
Known vulnerable
All of:
- 1.5.0 upto 1.5.30 (including)
- 1.6.0 upto 1.6.33 (including)
- 1.7.0 upto 1.7.32 (including)
- 1.8.0 upto 1.8.17 (including)
Known fixed
- 1.7.33
- 1.8.18
Details
LedgerSMB uses the URL's hash fragment (the part after the '#'-sign) to
store which screen the user is on, for the purpose of history navigation
(the back button). The hash fragment is assumed to be a URL that is part
of the web application's URL space. This assumption is not verified.
This allows an attacker inject a script into the page by send a specially
crafted URL to an authenticated user. As the process of loading the attack
payload overwrites any content in the main window, the attack by itself does
not expose sensitive information; a sophisticated payload in addition to
targetting a sufficiently privileged user, is required for information
disclosure.
Proper audit control and separation of duties limit Integrity impact of
the attack vector.
The vulnerable code dates back to version 1.5 when LedgerSMB moved to the
Single Page Application (SPA) model for web applications.
Severity
CVSSv3.1 Base Score: 7.1 (High)
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Recommendations
We recommend all users to upgrade to known-fixed versions. Versions prior
to 1.7 are end-of-life and will not receive security fixes from the
LedgerSMB project.
Users who cannot upgrade, may apply the included patches or are advised
to contact a vendor for custom support.
There are no workarounds available for this vulnerability.
References
https://ledgersmb.org/cve-2021-3693-cross-site-scripting
https://huntr.dev/bounties/daf1384d-648a-43fd-9b35-5c37d8ead667/
Reported by
ranjit-git, user of the huntr.dev platform