) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): cpe:2.3:a:ledgersmb:ledgersmb:1.5.23:*:*:*:*:*:*:*
- CPE Name Search: true
| Vuln ID | Summary | CVSS Severity |
|---|---|---|
| CVE-2024-23831 |
LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB database administrator has an active session in /setup.pl, an attacker can trick the admin into clicking on a link which automatically submits a request to setup.pl without the admin's consent. This request can be used to create a new user account with full application (/login.pl) privileges, leading to privilege escalation. The vulnerability is patched in versions 1.10.30 and 1.11.9. Published: February 02, 2024; 11:15:55 AM -0500 |
V4.0:(not available) V3.1: 7.5 HIGH V2.0:(not available) |
| CVE-2021-3731 |
LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'. This allows an attacker to trick a targetted user to execute unintended actions. Published: August 23, 2021; 9:15:08 AM -0400 |
V4.0:(not available) V3.1: 4.7 MEDIUM V2.0: 4.3 MEDIUM |
| CVE-2021-3694 |
LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure. Published: August 23, 2021; 9:15:07 AM -0400 |
V4.0:(not available) V3.1: 9.6 CRITICAL V2.0: 6.8 MEDIUM |
| CVE-2021-3693 |
LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure. Published: August 23, 2021; 9:15:07 AM -0400 |
V4.0:(not available) V3.1: 9.6 CRITICAL V2.0: 6.8 MEDIUM |