1.8

cve-2024-23831 (Cross Site Request Forgery)

Submitted by ehu on

Privilege escalation through CSRF attack on 'setup.pl'

Summary

When a LedgerSMB database administrator has an active session in /setup.pl,
an attacker can trick the admin into clicking on a link which automatically
submits a request to setup.pl without the admin's consent.  This request can
be used to create a new user account with full application (/login.pl)
privileges, leading to privilege escalation.


Known vulnerable

All of:

Session expired immediately after logging in

Submitted by ehu on

When I log in, LedgerSMB 1.8 or higher immediately says my session has expired. What can I do to fix this?

Short answer: add the "--preload-app" flag to the Starman command line.

Long answer: As of LedgerSMB 1.8, session information is stored in an encrypted cookie. To make sure the encryption key is unique for every installation, a new encryption secret is being generated each time LedgerSMB is started. However, Starman (without the "--preload-app" flag) loads the application in each forked worker separately, leading to different encryption secrets in each worker with the indicated behaviour as a result.

1.8.30 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is excited to announce yet another
new version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.30

* Fix invoices randomly being incorrectly voided (#2321)
* Fix response status code checks to correctly roll back on error (#6586)

Please note that this release fixes bug #2321 which the project
team was never able to reproduce, but has been reported by
different users many times over the past years.

1.8.29 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.29

* Fix the 1.8 Changelog which had been replaced with the 1.9 Changelog

Changelog for 1.8.28
* Fix reconciliation for multiple payments with the same Source (#6526)
* Fix reconciliation for payments with GL corrections (#6533)

1.8.27 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.27

* Fix tax form details reports throwing an error (#6458)
* Support PostgreSQL 14 (#6500)
* Allow deletion of transactions with shipto address (#6509)

1.8.26 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.26

* Fix double-counting of lines with business units in the trial balance (#6402)

For installation instructions and system requirements, see
https://github.com/ledgersmb/LedgerSMB/blob/1.8.26/README.md

1.8.25 Released

Submitted by LedgerSMB_Team on

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the fix for a dataloss issue that was reported
to us two days ago. The issue concerns the deletion of batches, which
causes loss of information linking payments to the transactions being
paid. This issue is present in all 1.8 releases before 1.8.25.
Additionally, it contais the following fixes and improvements:

Changelog for 1.8.25