9.6

CVE-2021-3694

LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.

Data is provided by the National Vulnerability Database (NVD)
LedgersmbLedgersmb Version >= 1.1.0 <= 1.1.12
LedgersmbLedgersmb Version >= 1.2.0 <= 1.2.26
LedgersmbLedgersmb Version >= 1.3.0 <= 1.3.47
LedgersmbLedgersmb Version >= 1.4.0 <= 1.4.42
LedgersmbLedgersmb Version >= 1.5.0 <= 1.5.30
LedgersmbLedgersmb Version >= 1.6.0 <= 1.6.33
LedgersmbLedgersmb Version >= 1.7.0 <= 1.7.32
LedgersmbLedgersmb Version >= 1.8.0 <= 1.8.17
DebianDebian Linux Version10.0
DebianDebian Linux Version11.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.63% 0.692
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.6 2.8 6
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
security@huntr.dev 8.2 2.8 4.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.