UbuntuUpdates.org

Package "ledgersmb"

Name: ledgersmb

Description:

financial accounting and ERP program

Latest version: 1.6.9+ds-1ubuntu0.1
Release: focal (20.04)
Level: security
Repository: universe
Homepage: http://www.ledgersmb.org/

Links


Download "ledgersmb"


Other versions of "ledgersmb" in Focal

Repository Area Version
base universe 1.6.9+ds-1
updates universe 1.6.9+ds-1ubuntu0.1

Changelog

Version: 1.6.9+ds-1ubuntu0.1 2021-09-29 15:06:27 UTC

  ledgersmb (1.6.9+ds-1ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: Cross-site Scripting
    - debian/patches/1.6-cve-2021-3693.patch: Fix display of search results
      and bulk-posting payments.
    - debian/patches/1.6-cve-2021-3693-regression.patch: Fix regression for
      failing to show errors as popups and broken downloads of backups.
    - debian/patches/1.6-cve-2021-3694.patch: Use escape_html to avoid
      specially crafted URL.
    - CVE-2021-3693
    - CVE-2021-3694
  * SECURITY UPDATE: Clickjacking
    - debian/patches/1.6-cve-2021-3731.patch: Set Content-Security-Policy for
      the header.
    - CVE-2021-3731

 -- Paulo Flabiano Smorigo <email address hidden> Tue, 28 Sep 2021 14:11:37 +0000

CVE-2021-3693 LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. By sending a specially crafted URL to an authenticated user, thi
CVE-2021-3694 LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. By sending a specially crafted URL to an authenticated user, this fla
CVE-2021-3731 LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'. This allows an attacker to trick



About   -   Send Feedback to @ubuntu_updates