Security advisory for CVE-2021-3731 (Clickjacking)

Submitted by ehu on

Insufficient protection against 'clickjacking'


  LedgerSMB does not sufficiently guard against being wrapped by
  other sites, making it vulnerable to 'clickjacking. This allows
  an attacker to trick a targetted user to execute unintended actions.

Known vulnerable

  All of:

  - 1.1.0 upto 1.1.12 (including)
  - 1.2.0 upto 1.2.26 (including)
  - 1.3.0 upto 1.3.47 (including)
  - 1.4.0 upto 1.4.42 (including)
  - 1.5.0 upto 1.5.30 (including)
  - 1.6.0 upto 1.6.33 (including)
  - 1.7.0 upto 1.7.32 (including)
  - 1.8.0 upto 1.8.17 (including)

Known fixed

  - 1.7.33
  - 1.8.18


  In a clickjacking attack, an attacker (invisibly) wraps the vulnerable
  site in his own site, carefully placing elements of his own site over
  elements of the wrapped site, tricking the user into performing unintended
  actions on the vulnerable site. More information on clickjacking is on the
  OWASP page at

  The lack of protection dates back to version 1.0, although it must
  be noted that mitigation measures were first available in browsers
  as of 2011 -- the year of the release of 1.3.0.


  CVSSv3.1 Base Score: 5.9 (Medium)

  CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N


  We recommend all users to upgrade to known-fixed versions. Versions prior
  to 1.7 are end-of-life and will not receive security fixes from the
  LedgerSMB project.

  Users who cannot upgrade, may apply the included patches or are advised
  to contact a vendor for custom support.

  As a workaround, administrators may configure their webservers to add
  the Content-Security-Policy header as documented in the content
  security policy site at


  CVE-2021-3731  (LedgerSMB)

Reported by

  sudheendra17, user of the platform