1.3

How do I backup my data?

Submitted by Anonymous (not verified) on

Log in to the the 'setup.pl' administrative interface, using your ledgersmb database admin user (usually "lsmb_dbadmin" or "postgres"). The default address for setup.pl is http://localhost/ledgersmb/setup.pl.

There are 2 buttons:

  • Backup database (parts, customers, accounting records, etc)
  • Backup roles (your login accounts and rights)

One creates a backup of the content of your database. The other creates a backup of the roles.

COGS assembly fix

Submitted by ehu on

All versions from 1.3.0 to 1.11.16 are affected by a bug in Cost of Goods Sold (COGS) accounting for assemblies: Instead of accounting expenses and reducing inventory, negative expenses are posted, putting goods into inventory.

I never used assemblies; am I affected too?

No. Only if you used assemblies in combination with LedgerSMB 1.3.0 through 1.11.15, you're affected.

cve-2024-23831 (Cross Site Request Forgery)

Submitted by ehu on

Privilege escalation through CSRF attack on 'setup.pl'

Summary

When a LedgerSMB database administrator has an active session in /setup.pl,
an attacker can trick the admin into clicking on a link which automatically
submits a request to setup.pl without the admin's consent.  This request can
be used to create a new user account with full application (/login.pl)
privileges, leading to privilege escalation.


Known vulnerable

All of:

Security advisory for CVE-2021-3694 (Cross site scripting)

Submitted by ehu on

Reflected cross-site scripting of authenticated users in LedgerSMB

Summary

LedgerSMB does not sufficiently HTML-encode error messages sent to the browser.  By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.

Known vulnerable

  All of:

1.3.48 Released

Submitted by ehu on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application. This release
contains the following fixes and improvements:

  • Adding current directory explicitly to include path for Debian (Chris T and Erik H)

Please note that this release quickly follows a security update of the base
Debian Perl package, as the security release broke LedgerSMB's operation,
resulting in HTTP 500 (Internal server error) being thrown on every request.