CVE-2024-23831

02.02.2024, 16:15

LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB database administrator has an active session in /setup.pl, an attacker can trick the admin into clicking on a link which automatically submits a request to setup.pl without the admin's consent.  This request can be used to create a new user account with full application (/login.pl) privileges, leading to privilege escalation.  The vulnerability is patched in versions 1.10.30 and 1.11.9.

CSRF

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
GitHub_M	CNA	7.5 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 39%

Vendor	Product	Version
ledgersmb	ledgersmb	1.3.0 ≤ 𝑥 < 1.10.30
ledgersmb	ledgersmb	1.11.0 ≤ 𝑥 < 1.11.9

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

ledgersmb

bullseye	no-dsa
bullseye (security)	vulnerable
bookworm	no-dsa
buster	no-dsa
sid	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

ledgersmb

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
mantic	ignored
jammy	needed
focal	needed
bionic	not-affected
xenial	not-affected
trusty	ignored

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

https://github.com/ledgersmb/LedgerSMB/commit/8c2ae5be68a782d62cb9c0e17c0127bf30ef4165

https://github.com/ledgersmb/LedgerSMB/security/advisories/GHSA-98ff-f638-qxjm

https://github.com/ledgersmb/LedgerSMB/commit/8c2ae5be68a782d62cb9c0e17c0127bf30ef4165

https://github.com/ledgersmb/LedgerSMB/security/advisories/GHSA-98ff-f638-qxjm