CVE-2024-23831Cross-Site Request Forgery in Ledgersmb

CWE-352Cross-Site Request Forgery5 documents4 sources
Severity
7.5HIGHNVD
OSV9.6
EPSS
0.3%
top 47.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
LedgersmbDebian Ledgersmb
Timeline
PublishedFeb 2
Latest updateJul 17

Description

LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB database administrator has an active session in /setup.pl, an attacker can trick the admin into clicking on a link which automatically submits a request to setup.pl without the admin's consent. This request can be used to create a new user account with full application (/login.pl) privileges, leading to privilege escalation. The vulnerability is patched in versions 1.10.30 and 1.11.9.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages4 packages

CVEListV5ledgersmb/ledgersmb< 1.10.30+1
NVDledgersmb/ledgersmb1.3.01.10.30+1
Ubuntuledgersmb/ledgersmb< 1.6.33+ds-1ubuntu0.1+4

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
ledgersmb vulnerabilities2025-07-17
OSV
CVE-2024-23831: LedgerSMB is a free web-based double-entry accounting system2024-02-02

📋Vendor Advisories

2
Ubuntu
LedgerSMB vulnerabilities2025-07-17
Debian
CVE-2024-23831: ledgersmb - LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB d...2024