1.2

Security advisory for CVE-2021-3694 (Cross site scripting)

Submitted by ehu on

Reflected cross-site scripting of authenticated users in LedgerSMB

Summary

LedgerSMB does not sufficiently HTML-encode error messages sent to the browser.  By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.

Known vulnerable

  All of:

Which versions do you support?

Submitted by ehu on

Active support

Versions 1.10 and higher are under active development and are supported by the community. Planned end-of-life dates for current releases are:

  • 1.12: Planned End-of-life date: 2026-12-14 (released 2024-12-14)
  • 1.11: Planned End-of-life date: 2025-10-03 (released 2023-10-03)

End of life

If you're looking for help on how to use EOL-ed versions, please try mailing the users mailing list.
If you're looking for someone to create bugfixes, please check with one of the parties providing commercial support or for less urgent fixes LedgerSMB Issues

Version 1.10 has been declared end-of-life on 2024-10-08. The last release in the series is 1.10.38. No futher releases will be made by the community.

Version 1.9 has been declared end-of-life on 2023-09-24. The last release in the series is 1.9.30. No futher releases will be made by the community.

Version 1.8 has been declared end-of-life on 2022-09-04. The last release in the series is 1.8.31. No futher releases will be made by the community.

Version 1.7 has been declared end-of-life on 2022-10-04. The last release in the series is 1.7.41. No further releases will be made by the community.

Version 1.6 has been declared end-of-life on 2021-06-10. The last release in the series is 1.6.33. No further releases will be made by the community.

Version 1.5 has been declared end-of-life on 2019-12-23. The last release in the series is 1.5.30. No further releases will be made by the community.

Version 1.4 has been declared end-fo-life on 2017-09-16. The last release in the series is 1.4.42. No further releases will be made by the community.

Version 1.3 has been declared end-of-life on 2015-12-23. The last release in the series is 1.3.47. No further releases will be made by the community.

LedgerSMB versions 1.0, 1.1 and 1.2 won't be maintained any further due to the fact that there are some known security issues which can't be fixed.

Chat Support (Matrix)

Submitted by Anonymous (not verified) on
Interactive help can often be found in our chat room. Often, this is the best way to find help, both for complex questions as for quick questions and answers. This page explains your options for setting up connections as well as explains how to best ask questions. There are other non-native English speakers in the rooms; please feel free to join!