LedgerSMB is a free web-based double-entry bookkeeping system with quoting, ordering, invoicing, projects, time cards, inventory management, shipping, etc. A cross-site scripting vulnerability exists in LedgerSMB, which stems from the application’s failure to check the origin of HTML fragments merged into the browser DOM, and could be exploited by an attacker by sending a specially crafted URL to an authenticated user exploit the vulnerability for remote code execution and information disclosure.