Vulnerabilities > SQL Ledger

DATE CVE VULNERABILITY TITLE RISK
2009-12-23 CVE-2009-4402 Configuration vulnerability in Sql-Ledger 2.8.24
The default configuration of SQL-Ledger 2.8.24 allows remote attackers to perform unspecified administrative operations by providing an arbitrary password to the admin interface.
network
low complexity
sql-ledger CWE-16
7.5
2009-12-23 CVE-2009-3584 Configuration vulnerability in Sql-Ledger 2.8.24
SQL-Ledger 2.8.24 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
network
low complexity
sql-ledger CWE-16
5.0
2009-12-23 CVE-2009-3583 Path Traversal vulnerability in Sql-Ledger 2.8.24
Directory traversal vulnerability in the Preferences menu item in SQL-Ledger 2.8.24 allows remote attackers to include and execute arbitrary local files via a ..
network
high complexity
sql-ledger CWE-22
5.1
2009-12-23 CVE-2009-3582 SQL Injection vulnerability in Sql-Ledger 2.8.24
Multiple SQL injection vulnerabilities in the delete subroutine in SQL-Ledger 2.8.24 allow remote authenticated users to execute arbitrary SQL commands via the (1) id and possibly (2) db parameters in a Delete action to the output of a Vendors>Reports>Search search operation.
network
low complexity
sql-ledger CWE-89
6.5
2009-12-23 CVE-2009-3581 Cross-Site Scripting vulnerability in Sql-Ledger 2.8.24
Multiple cross-site scripting (XSS) vulnerabilities in SQL-Ledger 2.8.24 allow remote authenticated users to inject arbitrary web script or HTML via (1) the DCN Description field in the Accounts Receivables menu item for Add Transaction, (2) the Description field in the Accounts Payable menu item for Add Transaction, or the name field in (3) the Customers menu item for Add Customer or (4) the Vendor menu item for Add Vendor.
network
sql-ledger CWE-79
3.5
2009-12-23 CVE-2009-3580 Cross-Site Request Forgery (CSRF) vulnerability in Sql-Ledger 2.8.24
Cross-site request forgery (CSRF) vulnerability in am.pl in SQL-Ledger 2.8.24 allows remote attackers to hijack the authentication of arbitrary users for requests that change a password via the login, new_password, and confirm_password parameters in a preferences action.
6.8
2008-09-15 CVE-2008-4078 SQL Injection vulnerability in multiple products
SQL injection vulnerability in the AR/AP transaction report in (1) LedgerSMB (LSMB) before 1.2.15 and (2) SQL-Ledger 2.8.17 and earlier allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
network
low complexity
dws-systems-inc ledgersmb sql-ledger CWE-89
6.5
2008-09-15 CVE-2008-4077 Resource Management Errors vulnerability in multiple products
The CGI scripts in (1) LedgerSMB (LSMB) before 1.2.15 and (2) SQL-Ledger 2.8.17 and earlier allow remote attackers to cause a denial of service (resource exhaustion) via an HTTP POST request with a large Content-Length.
network
low complexity
dws-systems-inc ledgersmb sql-ledger CWE-399
7.8
2007-03-20 CVE-2007-1541 Local File Include And Authentication Bypass vulnerability in Sql-Ledger 2.6.27
Directory traversal vulnerability in am.pl in SQL-Ledger 2.6.27 only checks for the presence of a NULL (%00) character to protect against directory traversal attacks, which allows remote attackers to run arbitrary executables and bypass authentication via a ..
network
low complexity
sql-ledger
7.5
2007-03-20 CVE-2007-1540 Local File Include And Authentication Bypass vulnerability in LedgerSMB/SQL-Ledger Login Parameter
Directory traversal vulnerability in am.pl in (1) SQL-Ledger 2.6.27 and earlier, and (2) LedgerSMB before 1.2.0, allows remote attackers to run arbitrary executables and bypass authentication via a ..
4.3