CVE-2021-3693Cross-site Scripting in Ledgersmb

CWE-79Cross-site Scripting8 documents5 sources
Severity
9.6CRITICALNVD
EPSS
0.8%
top 26.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Ledgersmb LedgersmbLedgersmbDebian Ledgersmb+1 more
Timeline
PublishedAug 23
Latest updateJul 17

Description

LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 2.8 | Impact: 6.0

Affected Packages5 packages

debiandebian/ledgersmb< ledgersmb 1.6.9+ds-2.1 (bookworm)
CVEListV5ledgersmb/ledgersmb_ledgersmbunspecified1.8.18
Debianledgersmb/ledgersmb< 1.6.9+ds-2+deb11u2+1
Ubuntuledgersmb/ledgersmb< 1.6.9+ds-1ubuntu0.1+5
NVDledgersmb/ledgersmb1.5.01.5.30+3

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: ledgersmb.orgPatch: ledgersmb.org

🔴Vulnerability Details

4
OSV
ledgersmb vulnerabilities2025-07-17
GHSA
GHSA-x27f-prq2-qwh6: LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM2022-05-24
OSV
ledgersmb vulnerabilities2021-09-30
OSV
CVE-2021-3693: LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM2021-08-23

📋Vendor Advisories

3
Ubuntu
LedgerSMB vulnerabilities2025-07-17
Ubuntu
LedgerSMB vulnerabilities2021-09-30
Debian
CVE-2021-3693: ledgersmb - LedgerSMB does not check the origin of HTML fragments merged into the browser's ...2021