Skip to main content

Ledgersmb

6 CVEs product

Monthly

CVE-2024-23831 HIGH PATCH This Week

LedgerSMB is a free web-based double-entry accounting system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Privilege Escalation CSRF Ledgersmb
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2021-3882 MEDIUM POC PATCH This Month

LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Nginx Apache Information Disclosure Ledgersmb
NVD GitHub
CVSS 3.1
6.8
EPSS
0.9%
CVE-2021-3731 MEDIUM This Month

LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Ledgersmb Debian Linux
NVD
CVSS 3.1
4.7
EPSS
1.1%
CVE-2021-3694 CRITICAL PATCH Act Now

LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

RCE XSS Information Disclosure Ledgersmb Debian Linux
NVD GitHub
CVSS 3.1
9.6
EPSS
2.4%
CVE-2021-3693 CRITICAL PATCH Act Now

LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

RCE XSS Information Disclosure Ledgersmb Debian Linux
NVD
CVSS 3.1
9.6
EPSS
3.0%
CVE-2018-9246 CRITICAL Act Now

The PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in LedgerSMB through 1.5.x, insufficiently sanitizes or escapes variable values used as part of shell command execution, resulting. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Pgobject Util Dbadmin Ledgersmb
NVD
CVSS 3.0
9.8
EPSS
2.6%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

LedgerSMB is a free web-based double-entry accounting system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Privilege Escalation CSRF Ledgersmb
NVD GitHub
EPSS 1% CVSS 6.8
MEDIUM POC PATCH This Month

LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Nginx Apache Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 4.7
MEDIUM This Month

LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Ledgersmb Debian Linux
NVD
EPSS 2% CVSS 9.6
CRITICAL PATCH Act Now

LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

RCE XSS Information Disclosure +2
NVD GitHub
EPSS 3% CVSS 9.6
CRITICAL PATCH Act Now

LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

RCE XSS Information Disclosure +2
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

The PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in LedgerSMB through 1.5.x, insufficiently sanitizes or escapes variable values used as part of shell command execution, resulting. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Pgobject Util Dbadmin Ledgersmb
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy