228 matches found
CVE-2009-3580
CVE-2009-3580 is a CSRF vulnerability in SQL-Ledger 2.8.24 specifically in the am.pl script. An attacker can trigger requests that change a user’s password by exploiting the login, new_password, and confirm_password parameters in a preferences action, potentially hijacking an arbitrary user’s ses...
CVE-2009-3581
Multiple cross-site scripting XSS vulnerabilities in SQL-Ledger 2.8.24 allow remote authenticated users to inject arbitrary web script or HTML via 1 the DCN Description field in the Accounts Receivables menu item for Add Transaction, 2 the Description field in the Accounts Payable menu item for A...
CVE-2009-3583
Directory traversal vulnerability in the Preferences menu item in SQL-Ledger 2.8.24 allows remote attackers to include and execute arbitrary local files via a .. dot dot in the countrycode field...
CVE-2009-3581
Multiple cross-site scripting XSS vulnerabilities in SQL-Ledger 2.8.24 allow remote authenticated users to inject arbitrary web script or HTML via 1 the DCN Description field in the Accounts Receivables menu item for Add Transaction, 2 the Description field in the Accounts Payable menu item for A...
CVE-2009-3583
Directory traversal vulnerability in the Preferences menu item in SQL-Ledger 2.8.24 allows remote attackers to include and execute arbitrary local files via a .. dot dot in the countrycode field...
CVE-2009-3583
CVE-2009-3583 describes a directory traversal vulnerability in SQL-Ledger 2.8.24. The flaw resides in the Preferences menu item where an attacker can cause local files to be included and executed by supplying a .. (dot dot) sequence in the countrycode field. Public references consistently state t...
CVE-2009-3584
SQL-Ledger 2.8.24 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session...
CVE-2009-4402
The default configuration of SQL-Ledger 2.8.24 allows remote attackers to perform unspecified administrative operations by providing an arbitrary password to the admin interface...
CVE-2009-4402
The default configuration of SQL-Ledger 2.8.24 allows remote attackers to perform unspecified administrative operations by providing an arbitrary password to the admin interface...
SQL-Ledger 'admin.pl' Empty Credentials
The remote web server is hosting SQL-Ledger, a web-based double-entry accounting system. The installed version does not require credentials to access the administrator interface. Note that the installed version is potentially affected by several other vulnerabilities, though Nessus has not tested...
SQL-Ledger – several vulnerabilities
============================================ ||| Security Advisory AKLINK-SA-2009-001 ||| ||| CVE-2009-3580 CVE candidate ||| ||| CVE-2009-3581 CVE candidate ||| ||| CVE-2009-3582 CVE candidate ||| ||| CVE-2009-3583 CVE candidate ||| ||| CVE-2009-3584 CVE candidate |||...
SQL-Ledger XSS / XSRF / SQL Injection / LFI
============================================ ||| Security Advisory AKLINK-SA-2009-001 ||| ||| CVE-2009-3580 CVE candidate ||| ||| CVE-2009-3581 CVE candidate ||| ||| CVE-2009-3582 CVE candidate ||| ||| CVE-2009-3583 CVE candidate ||| ||| CVE-2009-3584 CVE candidate |||...
CVE-2008-4078
SQL injection vulnerability in the AR/AP transaction report in 1 LedgerSMB LSMB before 1.2.15 and 2 SQL-Ledger 2.8.17 and earlier allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors...
CVE-2008-4077
The CGI scripts in 1 LedgerSMB LSMB before 1.2.15 and 2 SQL-Ledger 2.8.17 and earlier allow remote attackers to cause a denial of service resource exhaustion via an HTTP POST request with a large Content-Length...
CVE-2008-4078
SQL injection vulnerability in the AR/AP transaction report in 1 LedgerSMB LSMB before 1.2.15 and 2 SQL-Ledger 2.8.17 and earlier allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors...
DEBIAN-CVE-2008-4078
SQL injection vulnerability in the AR/AP transaction report in 1 LedgerSMB LSMB before 1.2.15 and 2 SQL-Ledger 2.8.17 and earlier allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors...
CVE-2008-4077
The CGI scripts in 1 LedgerSMB LSMB before 1.2.15 and 2 SQL-Ledger 2.8.17 and earlier allow remote attackers to cause a denial of service resource exhaustion via an HTTP POST request with a large Content-Length...
DEBIAN-CVE-2008-4077
The CGI scripts in 1 LedgerSMB LSMB before 1.2.15 and 2 SQL-Ledger 2.8.17 and earlier allow remote attackers to cause a denial of service resource exhaustion via an HTTP POST request with a large Content-Length...
CVE-2008-4078
SQL injection vulnerability in the AR/AP transaction report in 1 LedgerSMB LSMB before 1.2.15 and 2 SQL-Ledger 2.8.17 and earlier allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors...
Sql injection
SQL injection vulnerability in the AR/AP transaction report in 1 LedgerSMB LSMB before 1.2.15 and 2 SQL-Ledger 2.8.17 and earlier allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors...