Security advisory for CVE-2021-3694 (Cross site scripting)

Submitted by ehu on

Reflected cross-site scripting of authenticated users in LedgerSMB

Summary

LedgerSMB does not sufficiently HTML-encode error messages sent to the browser.  By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.

Known vulnerable

  All of:

  - 1.1.0 upto 1.1.12 (including)
  - 1.2.0 upto 1.2.26 (including)
  - 1.3.0 upto 1.3.47 (including)
  - 1.4.0 upto 1.4.42 (including)
  - 1.5.0 upto 1.5.30 (including)
  - 1.6.0 upto 1.6.33 (including)
  - 1.7.0 upto 1.7.32 (including)
  - 1.8.0 upto 1.8.17 (including)

Known fixed

  - 1.7.33
  - 1.8.18

Details

  When encountering an error, LedgerSMB sends the user feedback which may
  include user-provided input.  This input was not sufficiently sanitized
  before being included in the error report.  This allows an attacker inject
  a script in the error response page by send a specially crafted URL to an
  authenticated user.  As the error page itself does not contain any sensitive
  information, a sophisticated payload in addition to targetting a sufficiently
  privileged user, is required for information disclosure.

  Proper audit control and separation of duties limit Integrity impact of
  the attack vector.

  The vulnerable code to provide this user-feedback dates back to version 1.0.
  Please note that not error messages are vulnerable to this attack as not all
  messages report the problematic input to the user.

Severity

CVSSv3.1 Base Score: 8.2 (High)

CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Recommendations

  We recommend all users to upgrade to known-fixed versions. Versions prior
  to 1.7 are end-of-life and will not receive security fixes from the
  LedgerSMB project.

  Users who cannot upgrade, may apply the included patches or are advised
  to contact a vendor for custom support.

  There are no workarounds available for this vulnerability.

References

  CVE-2021-3694  (LedgerSMB)

  https://ledgersmb.org/cve-2021-3694-cross-site-scripting

  https://huntr.dev/bounties/ef7f4cf7-3a81-4516-b261-f5b6ac21430c/

Reported by
 

  ranjit-git, user of the huntr.dev platform

Release