1.8

Security advisory for CVE-2021-3693 (Cross site scripting)

Submitted by ehu on

DOM cross-site scripting of authenticated users in LedgerSMB

Summary

LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM.  By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.


Known vulnerable

  All of:

  - 1.5.0 upto 1.5.30 (including)
  - 1.6.0 upto 1.6.33 (including)
  - 1.7.0 upto 1.7.32 (including)
  - 1.8.0 upto 1.8.17 (including)

Security advisory for CVE-2021-3694 (Cross site scripting)

Submitted by ehu on

Reflected cross-site scripting of authenticated users in LedgerSMB

Summary

LedgerSMB does not sufficiently HTML-encode error messages sent to the browser.  By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.

Known vulnerable

  All of:

Hill Holdings Ltd - Barbados

Submitted by ehu on

Hill Holdings Ltd is  small company in Barbados, in the sunny Caribbean.  We are in the vacation rentals business, and we use LedgerSMB's  General Ledger module to keep track of our income and expenses.

From a technical point of view, I found LedgerSMB easy to install.  Upgrades and fixes come out frequently, and it is very easy to upgrade via a small Bash script that I wrote myself.

1.8.17 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.17

* Align filters between UI and the database on draft transaction search (#5692)
* Correctly present manual tax and invoice total on reversing invoice (#5721)
* Repeatedly saving a draft invoice pops up an SQL error (#5679)

1.8.16 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.16

1.8.15 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.15

1.8.14 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.14

* Follow-up (fix) to upgrades blocked by files attached to transactions

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.8.14/README.md

1.8.13 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.13

1.8.12 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.12

* Improve upgrades in light of files attached to transactions
* Fix 1.3 upgrade breaking on default currency function type
* Fix duplicate key error in upgrade data validation
* Fix upload of goods from CSV

1.8.11 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.11

* Fix Number not updated by 'Save as New' on order and quote (#5358)
* Fix failure to save purchase shipping addresses and contacts (#5289)
* Fix searching and opening saved invoices with gapless AR enabled (#5369)
* Performance improvements through added database indexes