Can I use IBANs with LedgerSMB?
Yes. IBANs are very long bank account numbers. LedgerSMB has no problems storing, retrieving and using these without any issue.
- Read more about Can I use IBANs with LedgerSMB?
- Log in or register to post comments
1.5
Is LedgerSMB SEPA proof?
Yes. SEPA (Single Euro Payments Area) requires support for very long bank account numbers (IBANs or International Bank Account Numbers). LedgerSMB can store and use these numbers without problems.
- Read more about Is LedgerSMB SEPA proof?
- Log in or register to post comments
How do I restore my data?
Assuming you have followed the How Do I Backup My Data instructions, you can restore your database as follows...
Note LedgerSMB versions prior to version 1.9.16 did not support PostgreSQL 14 or higher due to a backward incompatible change in PostgreSQL 14.
- Read more about How do I restore my data?
- Log in or register to post comments
How do I backup my data?
Log in to the the 'setup.pl' administrative interface, using your ledgersmb database admin user (usually "lsmb_dbadmin" or "postgres"). The default address for setup.pl is http://localhost/ledgersmb/setup.pl.
There are 2 buttons:
- Backup database (parts, customers, accounting records, etc)
- Backup roles (your login accounts and rights)
One creates a backup of the content of your database. The other creates a backup of the roles.
- Read more about How do I backup my data?
- 1 comment
- Log in or register to post comments
COGS assembly fix
All versions from 1.3.0 to 1.11.16 are affected by a bug in Cost of Goods Sold (COGS) accounting for assemblies: Instead of accounting expenses and reducing inventory, negative expenses are posted, putting goods into inventory.
I never used assemblies; am I affected too?
No. Only if you used assemblies in combination with LedgerSMB 1.3.0 through 1.11.15, you're affected.
- Read more about COGS assembly fix
- Log in or register to post comments
cve-2024-23831 (Cross Site Request Forgery)
Privilege escalation through CSRF attack on 'setup.pl'
Summary
When a LedgerSMB database administrator has an active session in /setup.pl,
an attacker can trick the admin into clicking on a link which automatically
submits a request to setup.pl without the admin's consent. This request can
be used to create a new user account with full application (/login.pl)
privileges, leading to privilege escalation.
Known vulnerable
All of:
Upgrade to LedgerSMB 1.11 (from 1.10 through 1.4)
Upgrading tarball installations
There are two steps to upgrading a LedgerSMB 1.4.x - 1.10.x to 1.11:
- Upgrade the software
- Upgrade the company database
The last step must be executed for each company database that's set up.
- Read more about Upgrade to LedgerSMB 1.11 (from 1.10 through 1.4)
- Log in or register to post comments
Security advisory for CVE-2021-3731 (Clickjacking)
Insufficient protection against 'clickjacking'
Summary
LedgerSMB does not sufficiently guard against being wrapped by
other sites, making it vulnerable to 'clickjacking. This allows
an attacker to trick a targetted user to execute unintended actions.
Known vulnerable
All of:
Security advisory for CVE-2021-3693 (Cross site scripting)
DOM cross-site scripting of authenticated users in LedgerSMB
Summary
LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.
Known vulnerable
All of:
- 1.5.0 upto 1.5.30 (including)
- 1.6.0 upto 1.6.33 (including)
- 1.7.0 upto 1.7.32 (including)
- 1.8.0 upto 1.8.17 (including)
Security advisory for CVE-2021-3694 (Cross site scripting)
Reflected cross-site scripting of authenticated users in LedgerSMB
Summary
LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.
Known vulnerable
All of: