Security advisory for CVE-2021-3693 (Cross site scripting)
DOM cross-site scripting of authenticated users in LedgerSMB
Summary
LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.
Known vulnerable
All of:
- 1.5.0 upto 1.5.30 (including)
- 1.6.0 upto 1.6.33 (including)
- 1.7.0 upto 1.7.32 (including)
- 1.8.0 upto 1.8.17 (including)