Packages
- ledgersmb - A libre software double entry accounting and enterprise resource planning (ERP) system
Details
It was discovered that LedgerSMB did not check the origin of HTML
fragments. An attacker could possibly use this issue to send a
maliciously crafted URL to the server and obtain sensitive
information, or execute arbitrary code. This issue only affected
Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.04.
(CVE-2021-3693)
It was discovered that LedgerSMB did not properly encode HTML
error messages. An attacker could possibly use this issue to send
a maliciously crafted URL to the server and obtain sensitive
information, or execute arbitrary code. This issue only affected
Ubuntu 18.04 LTS. (CVE-2021-3694)
It was discovered that LedgerSMB did not guard against discrete
link redirections. An attacker could possibly use this issue to
obtain sensitive information. This issue only affected Ubuntu
16.04 LTS and Ubuntu 18.04 LTS. (
It was discovered that LedgerSMB did not check the origin of HTML
fragments. An attacker could possibly use this issue to send a
maliciously crafted URL to the server and obtain sensitive
information, or execute arbitrary code. This issue only affected
Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.04.
(CVE-2021-3693)
It was discovered that LedgerSMB did not properly encode HTML
error messages. An attacker could possibly use this issue to send
a maliciously crafted URL to the server and obtain sensitive
information, or execute arbitrary code. This issue only affected
Ubuntu 18.04 LTS. (CVE-2021-3694)
It was discovered that LedgerSMB did not guard against discrete
link redirections. An attacker could possibly use this issue to
obtain sensitive information. This issue only affected Ubuntu
16.04 LTS and Ubuntu 18.04 LTS. (CVE-2021-3731)
It was discovered that LedgerSMB did not properly set the 'Secure'
attribute during HTTPS sessions. If a user were tricked into using
an unencrypted connection, an attacker could possibly use this
issue to obtain sensitive information. This issue only affected
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu
25.04. (CVE-2021-3882)
It was discovered that LedgerSMB could create admin accounts via
a URL. If an admin were tricked into clicking a maliciously
crafted URL, an attacker could possibly use this issue to
achieve privilege escalation. This issue only affected Ubuntu 20.04
LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.04.
(CVE-2024-23831)
Update instructions
After a standard system update you need to restart LedgerSMB to make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 25.04 plucky | ledgersmb – 1.6.33+ds-2.2ubuntu0.25.04.1 | ||
| 24.04 noble | ledgersmb – 1.6.33+ds-2.1ubuntu0.1 | ||
| 22.04 jammy | ledgersmb – 1.6.33+ds-1ubuntu0.1 | ||
| 20.04 focal | ledgersmb – 1.6.9+ds-1ubuntu0.1+esm1 | ||
| 18.04 bionic | ledgersmb – 1.4.42+ds-1ubuntu0.1~esm1 | ||
| 16.04 xenial | ledgersmb – 1.3.46-1ubuntu0.1~esm1 | ||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.