Ledgersmb

Ledgersmb

18 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2024-23831

  • EPSS 0.19%
  • Published 02.02.2024 16:15:55
  • Last modified 21.11.2024 08:58:30

LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB database administrator has an active session in /setup.pl, an attacker can trick the admin into clicking on a link which automatically submits a request to setup.pl withou...

6.8

CVE-2021-3882

Exploit
  • EPSS 0.16%
  • Published 14.10.2021 09:15:08
  • Last modified 21.11.2024 06:22:42

LedgerSMB does not set the 'Secure' attribute on the session authorization cookie when the client uses HTTPS and the LedgerSMB server is behind a reverse proxy. By tricking a user to use an unencrypted connection (HTTP), an attacker may be able to ob...

4.7

CVE-2021-3731

  • EPSS 0.28%
  • Published 23.08.2021 13:15:08
  • Last modified 21.11.2024 06:22:16

LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'. This allows an attacker to trick a targetted user to execute unintended actions.

9.6

CVE-2021-3694

  • EPSS 0.63%
  • Published 23.08.2021 13:15:07
  • Last modified 21.11.2024 06:22:10

LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.

9.6

CVE-2021-3693

  • EPSS 1.76%
  • Published 23.08.2021 13:15:07
  • Last modified 21.11.2024 06:22:10

LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.

9.8

CVE-2018-9246

  • EPSS 1.02%
  • Published 08.06.2018 01:29:02
  • Last modified 21.11.2024 04:15:12

The PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in LedgerSMB through 1.5.x, insufficiently sanitizes or escapes variable values used as part of shell command execution, resulting in shell code injection via the create(), run_file(...

6.5

CVE-2008-4078

  • EPSS 0.69%
  • Published 15.09.2008 15:14:07
  • Last modified 09.04.2025 00:30:58

SQL injection vulnerability in the AR/AP transaction report in (1) LedgerSMB (LSMB) before 1.2.15 and (2) SQL-Ledger 2.8.17 and earlier allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

7.8

CVE-2008-4077

  • EPSS 1.98%
  • Published 15.09.2008 15:14:07
  • Last modified 09.04.2025 00:30:58

The CGI scripts in (1) LedgerSMB (LSMB) before 1.2.15 and (2) SQL-Ledger 2.8.17 and earlier allow remote attackers to cause a denial of service (resource exhaustion) via an HTTP POST request with a large Content-Length.

10

CVE-2007-5372

  • EPSS 2.39%
  • Published 11.10.2007 10:17:00
  • Last modified 09.04.2025 00:30:58

Multiple SQL injection vulnerabilities in (a) LedgerSMB 1.0.0 through 1.2.7 and (b) DWS Systems SQL-Ledger 2.x allow remote attackers to execute arbitrary SQL commands via (1) the invoice quantity field or (2) the sort field.

10

CVE-2007-3907

  • EPSS 2.44%
  • Published 19.07.2007 17:30:00
  • Last modified 09.04.2025 00:30:58

Unspecified vulnerability in login.pl in LedgerSMB 1.2.0 through 1.2.6 allows remote attackers to bypass authentication and perform certain actions as an arbitrary user via unspecified vectors involving a URL with a redirect parameter value, along wi...