Vulnerabilities > Ledgersmb

DATE CVE VULNERABILITY TITLE RISK
2024-02-02 CVE-2024-23831 Cross-Site Request Forgery (CSRF) vulnerability in Ledgersmb
LedgerSMB is a free web-based double-entry accounting system.
network
high complexity
ledgersmb CWE-352
7.5
2021-10-14 CVE-2021-3882 Missing Encryption of Sensitive Data vulnerability in Ledgersmb
LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy.
network
high complexity
ledgersmb CWE-311
6.8
2021-08-23 CVE-2021-3693 Cross-site Scripting vulnerability in multiple products
LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM.
6.8
2021-08-23 CVE-2021-3694 Cross-site Scripting vulnerability in multiple products
LedgerSMB does not sufficiently HTML-encode error messages sent to the browser.
6.8
2021-08-23 CVE-2021-3731 Improper Restriction of Rendered UI Layers or Frames vulnerability in multiple products
LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'.
4.3
2018-06-08 CVE-2018-9246 Improper Encoding or Escaping of Output vulnerability in multiple products
The PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in LedgerSMB through 1.5.x, insufficiently sanitizes or escapes variable values used as part of shell command execution, resulting in shell code injection via the create(), run_file(), backup(), or restore() function.
7.5
2007-10-11 CVE-2007-5372 SQL Injection vulnerability in multiple products
Multiple SQL injection vulnerabilities in (a) LedgerSMB 1.0.0 through 1.2.7 and (b) DWS Systems SQL-Ledger 2.x allow remote attackers to execute arbitrary SQL commands via (1) the invoice quantity field or (2) the sort field.
network
low complexity
dws-systems-inc ledgersmb CWE-89
critical
10.0
2007-07-19 CVE-2007-3907 Authentication Bypass vulnerability in LedgerSMB Login.PL
Unspecified vulnerability in login.pl in LedgerSMB 1.2.0 through 1.2.6 allows remote attackers to bypass authentication and perform certain actions as an arbitrary user via unspecified vectors involving a URL with a redirect parameter value, along with a callback parameter containing an escaped URL that specifies the action.
network
low complexity
ledgersmb
critical
10.0
2007-03-13 CVE-2007-1437 Remote Security vulnerability in LedgerSMB
Unspecified vulnerability in LedgerSMB before 1.1.5 and SQL-Ledger before 2.6.25 allows remote attackers to overwrite files and possibly bypass authentication, and remote authenticated users to execute unauthorized code, by calling a custom error function that returns from execution.
network
low complexity
ledgersmb sql-ledger
critical
9.0
2007-03-13 CVE-2007-1436 Password Check vulnerability in LedgerSMB
Unspecified vulnerability in admin.pl in SQL-Ledger before 2.6.26 and LedgerSMB before 1.1.9 allows remote attackers to bypass authentication via unknown vectors that prevents a password check from occurring.
network
low complexity
ledgersmb sql-ledger
7.5