Lucene search
K
Database
Vendors
Products
Timeline
Vulnerabilities
Perimeter Scanner
Scanning
Projects
Scanner
Agent Scanning
API Scanning
Manual Audit
Email
Webhook
Resources
Documents
Blog
Glossary
FAQ
Plugins
Pricing
Contacts
About Us
Partners
Branding Guideline
Settings
Sign in
Sql-ledgerSql-ledger

16 matches found

CVE
CVEadded 2006/08/31 1:4 a.m.53 views

CVE-2006-4244

SQL-Ledger 2.4.4 through 2.6.17 authenticates users by verifying that the value of the sql-ledger-[username] cookie matches the value of the sessionid parameter, which allows remote attackers to gain access as any logged-in user by setting the cookie and the parameter to the same value.

7.5CVSS6.5AI score0.01337EPSS
CVE
CVEadded 2009/12/23 6:30 p.m.52 views

CVE-2009-3582

Multiple SQL injection vulnerabilities in the delete subroutine in SQL-Ledger 2.8.24 allow remote authenticated users to execute arbitrary SQL commands via the (1) id and possibly (2) db parameters in a Delete action to the output of a Vendors>Reports>Search search operation.

6.5CVSS7.9AI score0.00359EPSS
CVE
CVEadded 2007/04/10 11:19 p.m.50 views

CVE-2007-1923

(1) LedgerSMB and (2) DWS Systems SQL-Ledger implement access control lists by changing the set of URLs linked from menus, which allows remote attackers to access restricted functionality via direct requests. The LedgerSMB affected versions are before 1.3.0.

7.5CVSS6.7AI score0.01147EPSS
CVE
CVEadded 2009/12/23 6:30 p.m.49 views

CVE-2009-4402

The default configuration of SQL-Ledger 2.8.24 allows remote attackers to perform unspecified administrative operations by providing an arbitrary password to the admin interface.

7.5CVSS6.8AI score0.00519EPSS
CVE
CVEadded 2007/03/07 9:19 p.m.48 views

CVE-2007-1329

Directory traversal vulnerability in SQL-Ledger, and LedgerSMB before 1.1.5, allows remote attackers to read and overwrite arbitrary files, and execute arbitrary code, via . (dot) characters adjacent to (1) users and (2) users/members strings, which are removed by blacklisting functions that filter...

10CVSS7.2AI score0.05736EPSS
CVE
CVEadded 2007/03/13 7:19 p.m.48 views

CVE-2007-1436

Unspecified vulnerability in admin.pl in SQL-Ledger before 2.6.26 and LedgerSMB before 1.1.9 allows remote attackers to bypass authentication via unknown vectors that prevents a password check from occurring.

7.5CVSS6.9AI score0.00834EPSS
CVE
CVEadded 2009/12/23 6:30 p.m.48 views

CVE-2009-3583

Directory traversal vulnerability in the Preferences menu item in SQL-Ledger 2.8.24 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the countrycode field.

5.1CVSS6.8AI score0.00217EPSS
CVE
CVEadded 2009/12/23 6:30 p.m.45 views

CVE-2009-3580

Cross-site request forgery (CSRF) vulnerability in am.pl in SQL-Ledger 2.8.24 allows remote attackers to hijack the authentication of arbitrary users for requests that change a password via the login, new_password, and confirm_password parameters in a preferences action.

6.8CVSS7.1AI score0.00126EPSS
CVE
CVEadded 2009/12/23 6:30 p.m.43 views

CVE-2009-3581

Multiple cross-site scripting (XSS) vulnerabilities in SQL-Ledger 2.8.24 allow remote authenticated users to inject arbitrary web script or HTML via (1) the DCN Description field in the Accounts Receivables menu item for Add Transaction, (2) the Description field in the Accounts Payable menu item f...

3.5CVSS5.3AI score0.00201EPSS
CVE
CVEadded 2009/12/23 6:30 p.m.43 views

CVE-2009-3584

SQL-Ledger 2.8.24 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.

5CVSS6.2AI score0.00319EPSS
CVE
CVEadded 2007/03/13 7:19 p.m.41 views

CVE-2007-1437

Unspecified vulnerability in LedgerSMB before 1.1.5 and SQL-Ledger before 2.6.25 allows remote attackers to overwrite files and possibly bypass authentication, and remote authenticated users to execute unauthorized code, by calling a custom error function that returns from execution.

9CVSS6.8AI score0.00787EPSS
CVE
CVEadded 2007/02/02 9:28 p.m.40 views

CVE-2007-0667

The redirect function in Form.pm for (1) LedgerSMB before 1.1.5 and (2) SQL-Ledger allows remote authenticated users to execute arbitrary code via redirects, related to callbacks, a different issue than CVE-2006-5872.

6.5CVSS7.2AI score0.01651EPSS
CVE
CVEadded 2007/03/20 10:19 p.m.38 views

CVE-2007-1540

Directory traversal vulnerability in am.pl in (1) SQL-Ledger 2.6.27 and earlier, and (2) LedgerSMB before 1.2.0, allows remote attackers to run arbitrary executables and bypass authentication via a .. (dot dot) sequence and trailing NULL (%00) in the login parameter. NOTE: this issue was reportedly...

4.3CVSS7AI score0.09845EPSS
CVE
CVEadded 2007/03/20 10:19 p.m.38 views

CVE-2007-1541

Directory traversal vulnerability in am.pl in SQL-Ledger 2.6.27 only checks for the presence of a NULL (%00) character to protect against directory traversal attacks, which allows remote attackers to run arbitrary executables and bypass authentication via a .. (dot dot) sequence in the login parame...

7.5CVSS7AI score0.00344EPSS
CVE
CVEadded 2008/09/15 3:14 p.m.33 views

CVE-2008-4078

SQL injection vulnerability in the AR/AP transaction report in (1) LedgerSMB (LSMB) before 1.2.15 and (2) SQL-Ledger 2.8.17 and earlier allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

6.5CVSS7.9AI score0.00694EPSS
CVE
CVEadded 2008/09/15 3:14 p.m.32 views

CVE-2008-4077

The CGI scripts in (1) LedgerSMB (LSMB) before 1.2.15 and (2) SQL-Ledger 2.8.17 and earlier allow remote attackers to cause a denial of service (resource exhaustion) via an HTTP POST request with a large Content-Length.

7.8CVSS6.6AI score0.01977EPSS