Security advisory

Security advisory for CVE-2021-3882 (non-Secure session cookie)

Submitted by ehu on

  Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Summary

  LedgerSMB does not set the 'Secure' attribute on the session authorization
  cookie when the client uses HTTPS and the LedgerSMB server is behind a
  reverse proxy.  By tricking a user to use an unencrypted connection (HTTP),
  an attacker may be able to obtain the authentication data by capturing
  network traffic.


Known vulnerable

  All of:

  - 1.8.0 upto 1.8.21 (including)


Known fixed

  - 1.8.22

Security advisory for CVE-2021-3693 (Cross site scripting)

Submitted by ehu on

DOM cross-site scripting of authenticated users in LedgerSMB

Summary

LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM.  By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.


Known vulnerable

  All of:

  - 1.5.0 upto 1.5.30 (including)
  - 1.6.0 upto 1.6.33 (including)
  - 1.7.0 upto 1.7.32 (including)
  - 1.8.0 upto 1.8.17 (including)


Known fixed

  - 1.7.33
  - 1.8.18

Security advisory for CVE-2021-3694 (Cross site scripting)

Submitted by ehu on

Reflected cross-site scripting of authenticated users in LedgerSMB

Summary

LedgerSMB does not sufficiently HTML-encode error messages sent to the browser.  By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.

Known vulnerable

  All of:

Security: Denial of Service Vulnerability in 1.3.20 and below

Submitted by Chris Travers on

A security oversight has been discovered in LedgerSMB 1.3 which could allow a malicious user to cause a denial of service against LedgerSMB or otherwise affect the way in which certain forms of data would get entered.  In most cases we do not believe this to be particularly severe in the presence of internal process controls.  Users in some jurisdictions however may need to take this more seriously (see full details below).

Basic vulnerability characteristics

Security advisory: SQL Injection in LedgerSMB 1.2.24 and lower

Submitted by Chris Travers on

Hi all;

The LedgerSMB development team has found an SQL injection issue in LedgerSMB 1.2.24. Because this issue stems from our common SQL-Ledger heritage, it affects all versions of LedgerSMB and has been confirmed in SQL-Ledger 2.8.33. We contacted Dieter when we initially discovered this and now three weeks later it is doubtful when this will be fixed on his side (his last communication said it was likely to be at least a few more weeks from present with no committed timeline). It is expected that when SQL-Ledger 2.8.34 is released it will contain a fix for this issue.