1.5

How do I backup my data?

Submitted by Anonymous (not verified) on

Log in to the the 'setup.pl' administrative interface, using your ledgersmb database admin user (usually "lsmb_dbadmin" or "postgres"). The default address for setup.pl is http://localhost/ledgersmb/setup.pl.

There are 2 buttons:

  • Backup database (parts, customers, accounting records, etc)
  • Backup roles (your login accounts and rights)

One creates a backup of the content of your database. The other creates a backup of the roles.

COGS assembly fix

Submitted by ehu on

All versions from 1.3.0 to 1.11.16 are affected by a bug in Cost of Goods Sold (COGS) accounting for assemblies: Instead of accounting expenses and reducing inventory, negative expenses are posted, putting goods into inventory.

I never used assemblies; am I affected too?

No. Only if you used assemblies in combination with LedgerSMB 1.3.0 through 1.11.15, you're affected.

cve-2024-23831 (Cross Site Request Forgery)

Submitted by ehu on

Privilege escalation through CSRF attack on 'setup.pl'

Summary

When a LedgerSMB database administrator has an active session in /setup.pl,
an attacker can trick the admin into clicking on a link which automatically
submits a request to setup.pl without the admin's consent.  This request can
be used to create a new user account with full application (/login.pl)
privileges, leading to privilege escalation.


Known vulnerable

All of:

Security advisory for CVE-2021-3693 (Cross site scripting)

Submitted by ehu on

DOM cross-site scripting of authenticated users in LedgerSMB

Summary

LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM.  By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.


Known vulnerable

  All of:

  - 1.5.0 upto 1.5.30 (including)
  - 1.6.0 upto 1.6.33 (including)
  - 1.7.0 upto 1.7.32 (including)
  - 1.8.0 upto 1.8.17 (including)

Security advisory for CVE-2021-3694 (Cross site scripting)

Submitted by ehu on

Reflected cross-site scripting of authenticated users in LedgerSMB

Summary

LedgerSMB does not sufficiently HTML-encode error messages sent to the browser.  By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.

Known vulnerable

  All of: