First published: Mon Aug 23 2021(Updated: )
LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.
Credit: security@huntr.dev
Affected Software | Affected Version | How to fix |
---|---|---|
debian/ledgersmb | 1.6.9+ds-1+deb10u3 1.6.9+ds-2+deb11u3 1.6.33+ds-2.1 | |
Ledgersmb Ledgersmb | >=1.1.0<=1.1.12 | |
Ledgersmb Ledgersmb | >=1.2.0<=1.2.26 | |
Ledgersmb Ledgersmb | >=1.3.0<=1.3.47 | |
Ledgersmb Ledgersmb | >=1.4.0<=1.4.42 | |
Ledgersmb Ledgersmb | >=1.5.0<=1.5.30 | |
Ledgersmb Ledgersmb | >=1.6.0<=1.6.33 | |
Ledgersmb Ledgersmb | >=1.7.0<=1.7.32 | |
Ledgersmb Ledgersmb | >=1.8.0<=1.8.17 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this LedgerSMB vulnerability is CVE-2021-3694.
CVE-2021-3694 has a severity rating of critical with a score of 9.6.
CVE-2021-3694 can be abused for remote code execution and information disclosure.
LedgerSMB versions 1.6.9+ds-1+deb10u3, 1.6.9+ds-2+deb11u3, and 1.6.33+ds-2.1 are affected by CVE-2021-3694.
To fix CVE-2021-3694 in LedgerSMB, update to a version that is not affected, such as 1.6.34+ds-1+deb10u1 or later.