Submitted by ehu on Fri, 08/20/2021 - 03:13

Reflected cross-site scripting of authenticated users in LedgerSMB

Summary

LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.

Known vulnerable

All of:

- 1.1.0 upto 1.1.12 (including)
- 1.2.0 upto 1.2.26 (including)
- 1.3.0 upto 1.3.47 (including)
- 1.4.0 upto 1.4.42 (including)
- 1.5.0 upto 1.5.30 (including)
- 1.6.0 upto 1.6.33 (including)
- 1.7.0 upto 1.7.32 (including)
- 1.8.0 upto 1.8.17 (including)

Known fixed

- 1.7.33
- 1.8.18

Details

When encountering an error, LedgerSMB sends the user feedback which may
include user-provided input. This input was not sufficiently sanitized
before being included in the error report. This allows an attacker inject
a script in the error response page by send a specially crafted URL to an
authenticated user. As the error page itself does not contain any sensitive
information, a sophisticated payload in addition to targetting a sufficiently
privileged user, is required for information disclosure.

Proper audit control and separation of duties limit Integrity impact of
the attack vector.

The vulnerable code to provide this user-feedback dates back to version 1.0.
Please note that not error messages are vulnerable to this attack as not all
messages report the problematic input to the user.

Severity

CVSSv3.1 Base Score: 8.2 (High)

CVSSv3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Recommendations

We recommend all users to upgrade to known-fixed versions. Versions prior
to 1.7 are end-of-life and will not receive security fixes from the
LedgerSMB project.

Users who cannot upgrade, may apply the included patches or are advised
to contact a vendor for custom support.

There are no workarounds available for this vulnerability.