cve-2024-23831 (Cross Site Request Forgery)

Submitted by ehu on

Privilege escalation through CSRF attack on 'setup.pl'

Summary

When a LedgerSMB database administrator has an active session in /setup.pl,
an attacker can trick the admin into clicking on a link which automatically
submits a request to setup.pl without the admin's consent.  This request can
be used to create a new user account with full application (/login.pl)
privileges, leading to privilege escalation.


Known vulnerable

All of:

1.11.8 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.11.8

1.10.29 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.10.29

  • Fix formatting of amounts in AR/AP search results (#7896)
  • Explicitly set foreground color on dark backgrounds in blue theme (#7875)

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.10.29/README.md

1.11.7 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.11.7

1.10.28 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.10.28

  • Retain partsgroup selection on Update in parts screen (#7848)
  • Fix missing columns on trial balance 'Ending' report type (#7870)

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.10.28/README.md

1.11.6 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.11.6

1.10.27 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.10.27

  • Fix 'delete' link shown in CoA screen on accounts used with parts (#7812)
  • Fix deletion of parts (#7811)

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.10.27/README.md

1.11.5 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.11.5

1.10.26 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.10.26

1.11.4 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.11.4

Subscribe to