Debian Ledgersmb vulnerabilities

5 known vulnerabilities affecting debian/ledgersmb.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH3MEDIUM1LOW1

Vulnerabilities

Page 1 of 1
CVE-2024-23831HIGHCVSS 7.52024
CVE-2024-23831 [HIGH] CVE-2024-23831: ledgersmb - LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB d... LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB database administrator has an active session in /setup.pl, an attacker can trick the admin into clicking on a link which automatically submits a request to setup.pl without the admin's consent. This request can be used to create a new user account with full application (/login.pl) privi
debian
CVE-2021-3693HIGHCVSS 8.8fixed in ledgersmb 1.6.9+ds-2.1 (bookworm)2021
CVE-2021-3693 [HIGH] CVE-2021-3693: ledgersmb - LedgerSMB does not check the origin of HTML fragments merged into the browser's ... LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure. Scope: local bookworm: resolved (fixed in 1.6.9+ds-2.1) bullseye: resolved (fixed in 1.6.9+ds-2+deb11u2)
debian
CVE-2021-3694HIGHCVSS 8.2fixed in ledgersmb 1.6.9+ds-2.1 (bookworm)2021
CVE-2021-3694 [HIGH] CVE-2021-3694: ledgersmb - LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. ... LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure. Scope: local bookworm: resolved (fixed in 1.6.9+ds-2.1) bullseye: resolved (fixed in 1.6.9+ds-2+deb11u2)
debian
CVE-2021-3731MEDIUMCVSS 5.9fixed in ledgersmb 1.6.9+ds-2.1 (bookworm)2021
CVE-2021-3731 [MEDIUM] CVE-2021-3731: ledgersmb - LedgerSMB does not sufficiently guard against being wrapped by other sites, maki... LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'. This allows an attacker to trick a targetted user to execute unintended actions. Scope: local bookworm: resolved (fixed in 1.6.9+ds-2.1) bullseye: resolved (fixed in 1.6.9+ds-2+deb11u2)
debian
CVE-2021-3882LOWCVSS 6.82021
CVE-2021-3882 [MEDIUM] CVE-2021-3882: ledgersmb - LedgerSMB does not set the 'Secure' attribute on the session authorization cooki... LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. By tricking a user to use an unencrypted connection (HTTP), an attacker may be able to obtain the authentication data by capturing network traffic. LedgerSMB 1.8 and newer switched from Basic authenticatio
debian