Vulnerabilities > Ledgersmb

DATE CVE VULNERABILITY TITLE RISK
2024-02-02 CVE-2024-23831 Cross-Site Request Forgery (CSRF) vulnerability in Ledgersmb
LedgerSMB is a free web-based double-entry accounting system.
network
high complexity
ledgersmb CWE-352
7.5
2021-10-14 CVE-2021-3882 Missing Encryption of Sensitive Data vulnerability in Ledgersmb
LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy.
network
high complexity
ledgersmb CWE-311
6.8
2021-08-23 CVE-2021-3693 Cross-site Scripting vulnerability in multiple products
LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM.
network
low complexity
ledgersmb debian CWE-79
critical
9.6
2021-08-23 CVE-2021-3694 Cross-site Scripting vulnerability in multiple products
LedgerSMB does not sufficiently HTML-encode error messages sent to the browser.
network
low complexity
ledgersmb debian CWE-79
critical
9.6
2021-08-23 CVE-2021-3731 Improper Restriction of Rendered UI Layers or Frames vulnerability in multiple products
LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'.
network
low complexity
ledgersmb debian CWE-1021
4.7
2018-06-08 CVE-2018-9246 Improper Encoding or Escaping of Output vulnerability in multiple products
The PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in LedgerSMB through 1.5.x, insufficiently sanitizes or escapes variable values used as part of shell command execution, resulting in shell code injection via the create(), run_file(), backup(), or restore() function.
network
low complexity
pgobject-util-dbadmin-project ledgersmb CWE-116
critical
9.8