First published: Mon Aug 23 2021(Updated: )
LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.
Credit: security@huntr.dev
Affected Software | Affected Version | How to fix |
---|---|---|
debian/ledgersmb | 1.6.9+ds-1+deb10u3 1.6.9+ds-2+deb11u3 1.6.33+ds-2.1 | |
Ledgersmb Ledgersmb | >=1.5.0<=1.5.30 | |
Ledgersmb Ledgersmb | >=1.6.0<=1.6.33 | |
Ledgersmb Ledgersmb | >=1.7.0<=1.7.32 | |
Ledgersmb Ledgersmb | >=1.8.0<=1.8.17 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-3693 is a vulnerability in LedgerSMB that allows remote code execution and information disclosure.
CVE-2021-3693 affects LedgerSMB by allowing an attacker to send a specially crafted URL to an authenticated user, which can be abused for remote code execution and information disclosure.
The severity of CVE-2021-3693 is critical with a CVSS score of 9.6.
To fix CVE-2021-3693, it is recommended to update LedgerSMB to versions 1.6.9+ds-1+deb10u3, 1.6.9+ds-2+deb11u3, 1.6.33+ds-2.1, or later.
You can find more information about CVE-2021-3693 at the following references: [1] [2] [3].