Security Advisory

CVE-2024-23831

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2024-02-02 15:34:12
Last updated 2024-08-21 15:39:55
Assigner GitHub_M
State PUBLISHED

Description

LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB database administrator has an active session in /setup.pl, an attacker can trick the admin into clicking on a link which automatically submits a request to setup.pl without the admins consent. This request can be used to create a new user account with full application (/login.pl) privileges, leading to privilege escalation. The vulnerability is patched in versions 1.10.30 and 1.11.9.