Описание
LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB database administrator has an active session in /setup.pl, an attacker can trick the admin into clicking on a link which automatically submits a request to setup.pl without the admin's consent. This request can be used to create a new user account with full application (/login.pl) privileges, leading to privilege escalation. The vulnerability is patched in versions 1.10.30 and 1.11.9.
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | ignored | end of standard support |
| devel | released | 1.6.33+ds-2.2ubuntu1 |
| esm-apps/bionic | not-affected | code not present |
| esm-apps/focal | released | 1.6.9+ds-1ubuntu0.1+esm1 |
| esm-apps/jammy | released | 1.6.33+ds-1ubuntu0.1 |
| esm-apps/noble | released | 1.6.33+ds-2.1ubuntu0.1 |
| esm-apps/xenial | not-affected | code not present |
| focal | ignored | end of standard support, was needed |
| jammy | released | 1.6.33+ds-1ubuntu0.1 |
| mantic | ignored | end of life, was needed |
Показывать по
EPSS
7.5 High
CVSS3
Связанные уязвимости
LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB database administrator has an active session in /setup.pl, an attacker can trick the admin into clicking on a link which automatically submits a request to setup.pl without the admin's consent. This request can be used to create a new user account with full application (/login.pl) privileges, leading to privilege escalation. The vulnerability is patched in versions 1.10.30 and 1.11.9.
LedgerSMB is a free web-based double-entry accounting system. When a L ...
EPSS
7.5 High
CVSS3