(1) LedgerSMB and (2) DWS Systems SQL-Ledger implement access control lists by changing the set of URLs linked from menus, which allows remote attackers to access restricted functionality via direct requests. The LedgerSMB affected versions are before 1.3.0.
AV:N/AC:L/Au:N/C:P/I:P/A:PLedgersmb
APPLedgersmb< 1.3.0Sql Ledger
APPSql-Ledgerwszystkie wersje
Related vulnerabilities
The PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in LedgerSMB through 1.5.x, insufficiently...
LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB database administrator has an a...
LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. By sending a specially cr...
LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. By sending a specially crafted...
The default configuration of SQL-Ledger 2.8.24 allows remote attackers to perform unspecified administrative o...