Insufficient protection against 'clickjacking'
Summary
LedgerSMB does not sufficiently guard against being wrapped by
other sites, making it vulnerable to 'clickjacking. This allows
an attacker to trick a targetted user to execute unintended actions.
Known vulnerable
All of:
- 1.1.0 upto 1.1.12 (including)
- 1.2.0 upto 1.2.26 (including)
- 1.3.0 upto 1.3.47 (including)
- 1.4.0 upto 1.4.42 (including)
- 1.5.0 upto 1.5.30 (including)
- 1.6.0 upto 1.6.33 (including)
- 1.7.0 upto 1.7.32 (including)
- 1.8.0 upto 1.8.17 (including)
Known fixed
- 1.7.33
- 1.8.18
Details
In a clickjacking attack, an attacker (invisibly) wraps the vulnerable
site in his own site, carefully placing elements of his own site over
elements of the wrapped site, tricking the user into performing unintended
actions on the vulnerable site. More information on clickjacking is on the
OWASP page at https://owasp.org/www-community/attacks/Clickjacking
The lack of protection dates back to version 1.0, although it must
be noted that mitigation measures were first available in browsers
as of 2011 -- the year of the release of 1.3.0.
Severity
CVSSv3.1 Base Score: 5.9 (Medium)
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
Recommendations
We recommend all users to upgrade to known-fixed versions. Versions prior
to 1.7 are end-of-life and will not receive security fixes from the
LedgerSMB project.
Users who cannot upgrade, may apply the included patches or are advised
to contact a vendor for custom support.
As a workaround, administrators may configure their webservers to add
the Content-Security-Policy header as documented in the content
security policy site at https://content-security-policy.com/#server.
References
https://ledgersmb.org/cve-2021-3731-clickjacking
https://huntr.dev/bounties/5664331d-f5f8-4412-8566-408f8655888a/
Reported by
sudheendra17, user of the huntr.dev platform