Vulnerabilities > Ledgersmb

DATE CVE VULNERABILITY TITLE RISK
2021-10-14 CVE-2021-3882 Missing Encryption of Sensitive Data vulnerability in Ledgersmb 1.8.0
LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy.
network
high complexity
ledgersmb CWE-311
4.0
2021-08-23 CVE-2021-3693 Cross-site Scripting vulnerability in multiple products
LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM.
6.8
2021-08-23 CVE-2021-3694 Cross-site Scripting vulnerability in multiple products
LedgerSMB does not sufficiently HTML-encode error messages sent to the browser.
6.8
2021-08-23 CVE-2021-3731 Improper Restriction of Rendered UI Layers or Frames vulnerability in multiple products
LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'.
4.3
2018-06-08 CVE-2018-9246 Improper Encoding or Escaping of Output vulnerability in multiple products
The PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in LedgerSMB through 1.5.x, insufficiently sanitizes or escapes variable values used as part of shell command execution, resulting in shell code injection via the create(), run_file(), backup(), or restore() function.
7.5
2008-09-15 CVE-2008-4078 SQL Injection vulnerability in multiple products
SQL injection vulnerability in the AR/AP transaction report in (1) LedgerSMB (LSMB) before 1.2.15 and (2) SQL-Ledger 2.8.17 and earlier allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
network
low complexity
dws-systems-inc ledgersmb sql-ledger CWE-89
6.5
2008-09-15 CVE-2008-4077 Resource Management Errors vulnerability in multiple products
The CGI scripts in (1) LedgerSMB (LSMB) before 1.2.15 and (2) SQL-Ledger 2.8.17 and earlier allow remote attackers to cause a denial of service (resource exhaustion) via an HTTP POST request with a large Content-Length.
network
low complexity
dws-systems-inc ledgersmb sql-ledger CWE-399
7.8
2007-10-11 CVE-2007-5372 SQL Injection vulnerability in multiple products
Multiple SQL injection vulnerabilities in (a) LedgerSMB 1.0.0 through 1.2.7 and (b) DWS Systems SQL-Ledger 2.x allow remote attackers to execute arbitrary SQL commands via (1) the invoice quantity field or (2) the sort field.
network
low complexity
dws-systems-inc ledgersmb CWE-89
critical
10.0
2007-07-19 CVE-2007-3907 Authentication Bypass vulnerability in LedgerSMB Login.PL
Unspecified vulnerability in login.pl in LedgerSMB 1.2.0 through 1.2.6 allows remote attackers to bypass authentication and perform certain actions as an arbitrary user via unspecified vectors involving a URL with a redirect parameter value, along with a callback parameter containing an escaped URL that specifies the action.
network
low complexity
ledgersmb
critical
10.0
2007-04-10 CVE-2007-1923 (1) LedgerSMB and (2) DWS Systems SQL-Ledger implement access control lists by changing the set of URLs linked from menus, which allows remote attackers to access restricted functionality via direct requests.
network
low complexity
dws-systems-inc ledgersmb
7.5