Ledgersmb
CVE-2021-3731
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'. This allows an attacker to trick a targetted user to execute unintended actions.
AnalysisAI
LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-1021. LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'. This allows an attacker to trick a targetted user to execute unintended actions. Affected products include: Ledgersmb, Debian Debian Linux.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the Led
The PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in LedgerSMB through 1.5.x, insufficiently sanitizes
LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. Rated critical severity (CVSS 9.6), this
LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. Rated critical severity (CVSS 9.6),
LedgerSMB is a free web-based double-entry accounting system. Rated high severity (CVSS 7.5), this vulnerability is remo
Share
External POC / Exploit Code
Leaving vuln.today