Vulnerabilities > Ledgersmb
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-02-02 | CVE-2024-23831 | Cross-Site Request Forgery (CSRF) vulnerability in Ledgersmb LedgerSMB is a free web-based double-entry accounting system. | 7.5 |
2021-10-14 | CVE-2021-3882 | Missing Encryption of Sensitive Data vulnerability in Ledgersmb LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. | 6.8 |
2021-08-23 | CVE-2021-3693 | Cross-site Scripting vulnerability in multiple products LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. | 6.8 |
2021-08-23 | CVE-2021-3694 | Cross-site Scripting vulnerability in multiple products LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. | 6.8 |
2021-08-23 | CVE-2021-3731 | Improper Restriction of Rendered UI Layers or Frames vulnerability in multiple products LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'. | 4.3 |
2018-06-08 | CVE-2018-9246 | Improper Encoding or Escaping of Output vulnerability in multiple products The PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in LedgerSMB through 1.5.x, insufficiently sanitizes or escapes variable values used as part of shell command execution, resulting in shell code injection via the create(), run_file(), backup(), or restore() function. | 7.5 |
2007-10-11 | CVE-2007-5372 | SQL Injection vulnerability in multiple products Multiple SQL injection vulnerabilities in (a) LedgerSMB 1.0.0 through 1.2.7 and (b) DWS Systems SQL-Ledger 2.x allow remote attackers to execute arbitrary SQL commands via (1) the invoice quantity field or (2) the sort field. | 10.0 |
2007-07-19 | CVE-2007-3907 | Authentication Bypass vulnerability in LedgerSMB Login.PL Unspecified vulnerability in login.pl in LedgerSMB 1.2.0 through 1.2.6 allows remote attackers to bypass authentication and perform certain actions as an arbitrary user via unspecified vectors involving a URL with a redirect parameter value, along with a callback parameter containing an escaped URL that specifies the action. | 10.0 |
2007-03-13 | CVE-2007-1437 | Remote Security vulnerability in LedgerSMB Unspecified vulnerability in LedgerSMB before 1.1.5 and SQL-Ledger before 2.6.25 allows remote attackers to overwrite files and possibly bypass authentication, and remote authenticated users to execute unauthorized code, by calling a custom error function that returns from execution. | 9.0 |
2007-03-13 | CVE-2007-1436 | Password Check vulnerability in LedgerSMB Unspecified vulnerability in admin.pl in SQL-Ledger before 2.6.26 and LedgerSMB before 1.1.9 allows remote attackers to bypass authentication via unknown vectors that prevents a password check from occurring. | 7.5 |