Lucene search

K
cve[email protected]CVE-2024-23831
HistoryFeb 02, 2024 - 4:15 p.m.

CVE-2024-23831

2024-02-0216:15:55
CWE-352
web.nvd.nist.gov
6
ledgersmb
setup.pl
privilege escalation
cve-2024-23831
nvd
security vulnerability

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

23.9%

LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB database administrator has an active session in /setup.pl, an attacker can trick the admin into clicking on a link which automatically submits a request to setup.pl without the admin’s consent. This request can be used to create a new user account with full application (/login.pl) privileges, leading to privilege escalation. The vulnerability is patched in versions 1.10.30 and 1.11.9.

Affected configurations

Vulners
NVD
Node
ledgersmbledgersmbRange<1.10.30
OR
ledgersmbledgersmbRange1.11.01.11.9
VendorProductVersionCPE
ledgersmbledgersmb*cpe:2.3:a:ledgersmb:ledgersmb:*:*:*:*:*:*:*:*
ledgersmbledgersmb*cpe:2.3:a:ledgersmb:ledgersmb:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "ledgersmb",
    "product": "LedgerSMB",
    "versions": [
      {
        "version": "< 1.10.30",
        "status": "affected"
      },
      {
        "version": ">= 1.11.0, < 1.11.9",
        "status": "affected"
      }
    ]
  }
]

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

23.9%