SQL Ledger
by SQL Ledger
CVEs (19)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2007-1540 | 0.03 | — | 0.05 | Mar 20, 2007 | Directory traversal vulnerability in am.pl in (1) SQL-Ledger 2.6.27 and earlier, and (2) LedgerSMB before 1.2.0, allows remote attackers to run arbitrary executables and bypass authentication via a .. (dot dot) sequence and trailing NULL (%00) in the login parameter. NOTE: this… | |||
| CVE-2006-4731 | 0.03 | — | 0.06 | Sep 13, 2006 | Multiple directory traversal vulnerabilities in (1) login.pl and (2) admin.pl in (a) SQL-Ledger before 2.6.19 and (b) LedgerSMB before 1.0.0p1 allow remote attackers to execute arbitrary Perl code via an unspecified terminal parameter value containing ../ (dot dot slash). | |||
| CVE-2009-4402 | 0.00 | — | 0.01 | Dec 23, 2009 | The default configuration of SQL-Ledger 2.8.24 allows remote attackers to perform unspecified administrative operations by providing an arbitrary password to the admin interface. | |||
| CVE-2009-3584 | 0.00 | — | 0.01 | Dec 23, 2009 | SQL-Ledger 2.8.24 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. | |||
| CVE-2009-3583 | 0.00 | — | 0.01 | Dec 23, 2009 | Directory traversal vulnerability in the Preferences menu item in SQL-Ledger 2.8.24 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the countrycode field. | |||
| CVE-2009-3582 | 0.00 | — | 0.01 | Dec 23, 2009 | Multiple SQL injection vulnerabilities in the delete subroutine in SQL-Ledger 2.8.24 allow remote authenticated users to execute arbitrary SQL commands via the (1) id and possibly (2) db parameters in a Delete action to the output of a Vendors>Reports>Search search operation. | |||
| CVE-2009-3581 | 0.00 | — | 0.01 | Dec 23, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in SQL-Ledger 2.8.24 allow remote authenticated users to inject arbitrary web script or HTML via (1) the DCN Description field in the Accounts Receivables menu item for Add Transaction, (2) the Description field in the Accounts… | |||
| CVE-2009-3580 | 0.00 | — | 0.01 | Dec 23, 2009 | Cross-site request forgery (CSRF) vulnerability in am.pl in SQL-Ledger 2.8.24 allows remote attackers to hijack the authentication of arbitrary users for requests that change a password via the login, new_password, and confirm_password parameters in a preferences action. | |||
| CVE-2008-4078 | 0.00 | — | 0.02 | Sep 15, 2008 | SQL injection vulnerability in the AR/AP transaction report in (1) LedgerSMB (LSMB) before 1.2.15 and (2) SQL-Ledger 2.8.17 and earlier allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2008-4077 | 0.00 | — | 0.03 | Sep 15, 2008 | The CGI scripts in (1) LedgerSMB (LSMB) before 1.2.15 and (2) SQL-Ledger 2.8.17 and earlier allow remote attackers to cause a denial of service (resource exhaustion) via an HTTP POST request with a large Content-Length. | |||
| CVE-2007-1923 | 0.00 | — | 0.03 | Apr 10, 2007 | (1) LedgerSMB and (2) DWS Systems SQL-Ledger implement access control lists by changing the set of URLs linked from menus, which allows remote attackers to access restricted functionality via direct requests. The LedgerSMB affected versions are before 1.3.0. | |||
| CVE-2007-1541 | 0.00 | — | 0.02 | Mar 20, 2007 | Directory traversal vulnerability in am.pl in SQL-Ledger 2.6.27 only checks for the presence of a NULL (%00) character to protect against directory traversal attacks, which allows remote attackers to run arbitrary executables and bypass authentication via a .. (dot dot) sequence… | |||
| CVE-2007-1436 | 0.00 | — | 0.02 | Mar 13, 2007 | Unspecified vulnerability in admin.pl in SQL-Ledger before 2.6.26 and LedgerSMB before 1.1.9 allows remote attackers to bypass authentication via unknown vectors that prevents a password check from occurring. | |||
| CVE-2007-1437 | 0.00 | — | 0.03 | Mar 13, 2007 | Unspecified vulnerability in LedgerSMB before 1.1.5 and SQL-Ledger before 2.6.25 allows remote attackers to overwrite files and possibly bypass authentication, and remote authenticated users to execute unauthorized code, by calling a custom error function that returns from… | |||
| CVE-2007-1329 | 0.00 | — | 0.05 | Mar 7, 2007 | Directory traversal vulnerability in SQL-Ledger, and LedgerSMB before 1.1.5, allows remote attackers to read and overwrite arbitrary files, and execute arbitrary code, via . (dot) characters adjacent to (1) users and (2) users/members strings, which are removed by blacklisting… | |||
| CVE-2007-0667 | 0.00 | — | 0.02 | Feb 2, 2007 | The redirect function in Form.pm for (1) LedgerSMB before 1.1.5 and (2) SQL-Ledger allows remote authenticated users to execute arbitrary code via redirects, related to callbacks, a different issue than CVE-2006-5872. | |||
| CVE-2006-5872 | 0.00 | — | 0.02 | Dec 18, 2006 | login.pl in SQL-Ledger before 2.6.21 and LedgerSMB before 1.1.5 allows remote attackers to execute arbitrary Perl code via the "-e" flag in the script parameter, which is used as an argument to the perl program. | |||
| CVE-2006-4798 | 0.00 | — | 0.01 | Sep 14, 2006 | SQL-Ledger before 2.4.4 stores a password in a query string, which might allow context-dependent attackers to obtain the password via a Referer field or browser history. | |||
| CVE-2006-4244 | 0.00 | — | 0.02 | Aug 31, 2006 | SQL-Ledger 2.4.4 through 2.6.17 authenticates users by verifying that the value of the sql-ledger-[username] cookie matches the value of the sessionid parameter, which allows remote attackers to gain access as any logged-in user by setting the cookie and the parameter to the… |
- CVE-2007-1540Mar 20, 2007risk 0.03cvss —epss 0.05
Directory traversal vulnerability in am.pl in (1) SQL-Ledger 2.6.27 and earlier, and (2) LedgerSMB before 1.2.0, allows remote attackers to run arbitrary executables and bypass authentication via a .. (dot dot) sequence and trailing NULL (%00) in the login parameter. NOTE: this…
- CVE-2006-4731Sep 13, 2006risk 0.03cvss —epss 0.06
Multiple directory traversal vulnerabilities in (1) login.pl and (2) admin.pl in (a) SQL-Ledger before 2.6.19 and (b) LedgerSMB before 1.0.0p1 allow remote attackers to execute arbitrary Perl code via an unspecified terminal parameter value containing ../ (dot dot slash).
- CVE-2009-4402Dec 23, 2009risk 0.00cvss —epss 0.01
The default configuration of SQL-Ledger 2.8.24 allows remote attackers to perform unspecified administrative operations by providing an arbitrary password to the admin interface.
- CVE-2009-3584Dec 23, 2009risk 0.00cvss —epss 0.01
SQL-Ledger 2.8.24 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
- CVE-2009-3583Dec 23, 2009risk 0.00cvss —epss 0.01
Directory traversal vulnerability in the Preferences menu item in SQL-Ledger 2.8.24 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the countrycode field.
- CVE-2009-3582Dec 23, 2009risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in the delete subroutine in SQL-Ledger 2.8.24 allow remote authenticated users to execute arbitrary SQL commands via the (1) id and possibly (2) db parameters in a Delete action to the output of a Vendors>Reports>Search search operation.
- CVE-2009-3581Dec 23, 2009risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in SQL-Ledger 2.8.24 allow remote authenticated users to inject arbitrary web script or HTML via (1) the DCN Description field in the Accounts Receivables menu item for Add Transaction, (2) the Description field in the Accounts…
- CVE-2009-3580Dec 23, 2009risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in am.pl in SQL-Ledger 2.8.24 allows remote attackers to hijack the authentication of arbitrary users for requests that change a password via the login, new_password, and confirm_password parameters in a preferences action.
- CVE-2008-4078Sep 15, 2008risk 0.00cvss —epss 0.02
SQL injection vulnerability in the AR/AP transaction report in (1) LedgerSMB (LSMB) before 1.2.15 and (2) SQL-Ledger 2.8.17 and earlier allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
- CVE-2008-4077Sep 15, 2008risk 0.00cvss —epss 0.03
The CGI scripts in (1) LedgerSMB (LSMB) before 1.2.15 and (2) SQL-Ledger 2.8.17 and earlier allow remote attackers to cause a denial of service (resource exhaustion) via an HTTP POST request with a large Content-Length.
- CVE-2007-1923Apr 10, 2007risk 0.00cvss —epss 0.03
(1) LedgerSMB and (2) DWS Systems SQL-Ledger implement access control lists by changing the set of URLs linked from menus, which allows remote attackers to access restricted functionality via direct requests. The LedgerSMB affected versions are before 1.3.0.
- CVE-2007-1541Mar 20, 2007risk 0.00cvss —epss 0.02
Directory traversal vulnerability in am.pl in SQL-Ledger 2.6.27 only checks for the presence of a NULL (%00) character to protect against directory traversal attacks, which allows remote attackers to run arbitrary executables and bypass authentication via a .. (dot dot) sequence…
- CVE-2007-1436Mar 13, 2007risk 0.00cvss —epss 0.02
Unspecified vulnerability in admin.pl in SQL-Ledger before 2.6.26 and LedgerSMB before 1.1.9 allows remote attackers to bypass authentication via unknown vectors that prevents a password check from occurring.
- CVE-2007-1437Mar 13, 2007risk 0.00cvss —epss 0.03
Unspecified vulnerability in LedgerSMB before 1.1.5 and SQL-Ledger before 2.6.25 allows remote attackers to overwrite files and possibly bypass authentication, and remote authenticated users to execute unauthorized code, by calling a custom error function that returns from…
- CVE-2007-1329Mar 7, 2007risk 0.00cvss —epss 0.05
Directory traversal vulnerability in SQL-Ledger, and LedgerSMB before 1.1.5, allows remote attackers to read and overwrite arbitrary files, and execute arbitrary code, via . (dot) characters adjacent to (1) users and (2) users/members strings, which are removed by blacklisting…
- CVE-2007-0667Feb 2, 2007risk 0.00cvss —epss 0.02
The redirect function in Form.pm for (1) LedgerSMB before 1.1.5 and (2) SQL-Ledger allows remote authenticated users to execute arbitrary code via redirects, related to callbacks, a different issue than CVE-2006-5872.
- CVE-2006-5872Dec 18, 2006risk 0.00cvss —epss 0.02
login.pl in SQL-Ledger before 2.6.21 and LedgerSMB before 1.1.5 allows remote attackers to execute arbitrary Perl code via the "-e" flag in the script parameter, which is used as an argument to the perl program.
- CVE-2006-4798Sep 14, 2006risk 0.00cvss —epss 0.01
SQL-Ledger before 2.4.4 stores a password in a query string, which might allow context-dependent attackers to obtain the password via a Referer field or browser history.
- CVE-2006-4244Aug 31, 2006risk 0.00cvss —epss 0.02
SQL-Ledger 2.4.4 through 2.6.17 authenticates users by verifying that the value of the sql-ledger-[username] cookie matches the value of the sessionid parameter, which allows remote attackers to gain access as any logged-in user by setting the cookie and the parameter to the…