CVE-2021-3693

Published: Aug 23, 2021Modified: Nov 21, 2024

9.6

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 6.0

Source: NVD

Description

LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.

Affected (6)

Products: Ledgersmb: Ledgersmb · Debian: Debian Linux

1 product

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Ledgersmb Ledgersmb	From 1.5.0 to 1.5.30
Ledgersmb Ledgersmb	From 1.6.0 to 1.6.33
Ledgersmb Ledgersmb	From 1.7.0 to 1.7.32
Ledgersmb Ledgersmb	From 1.8.0 to 1.8.17

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (6)

https://huntr.dev/bounties/daf1384d-648a-43fd-9b35-5c37d8ead667

Source: security@huntr.dev

Third Party Advisory

https://ledgersmb.org/cve-2021-3693-cross-site-scripting

Source: security@huntr.dev

PatchVendor Advisory

https://www.debian.org/security/2021/dsa-4962

Source: security@huntr.dev

Third Party Advisory

https://huntr.dev/bounties/daf1384d-648a-43fd-9b35-5c37d8ead667

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://ledgersmb.org/cve-2021-3693-cross-site-scripting

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://www.debian.org/security/2021/dsa-4962

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.