1.7.37 Released
The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:
Changelog for 1.9.5
1.7
1.7.36 Released
The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:
Changelog for 1.7.36
- Fix manual taxes on credit invoices (#5721)
- Improve configuring acceptable reverse proxy addresses
For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.7.36/README.md
1.7.35 Released
The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:
Changelog for 1.7.35
1.7.34 Released
Unfortunately, the fixes for the security vulnerabilities
released on Monday August 23 regressed some functionalities.
This release fixes those regressions:
Changelog for 1.7.34
- Follow-up to fix for CVE-2021-3693 to fix display of search results
- Follow-up for the fix to CVE-2021-3693; fix bulk-posting payments
For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.7.34/README.md
1.7.33 Released
The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application. This
release contains three fixes for security vulnerabilities. Users are
urged to upgrade as soon as possible. Special thanks go to "ranjit-git",
and sudheendra17, users of the https://huntr.dev/ platform, for disclosing
these issues responsibly to the development team. And to the platform
itself for sponsoring the work of these researchers.
This release contains the following fixes and improvements:
Security advisory for CVE-2021-3731 (Clickjacking)
Insufficient protection against 'clickjacking'
Summary
LedgerSMB does not sufficiently guard against being wrapped by
other sites, making it vulnerable to 'clickjacking. This allows
an attacker to trick a targetted user to execute unintended actions.
Known vulnerable
All of:
Security advisory for CVE-2021-3693 (Cross site scripting)
DOM cross-site scripting of authenticated users in LedgerSMB
Summary
LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.
Known vulnerable
All of:
- 1.5.0 upto 1.5.30 (including)
- 1.6.0 upto 1.6.33 (including)
- 1.7.0 upto 1.7.32 (including)
- 1.8.0 upto 1.8.17 (including)
Security advisory for CVE-2021-3694 (Cross site scripting)
Reflected cross-site scripting of authenticated users in LedgerSMB
Summary
LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.
Known vulnerable
All of:
1.7.32 Released
The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:
Changelog for 1.7.32
1.7.31 Released
The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:
Changelog for 1.7.31