LedgerSMB 1.2.8 has been released in part in response to multiple SQL
injection issues which were discovered in the 1.2.x codebase. These occur
because input is not properly validated and/or escaped prior to the creation
of database queries. Users of the software are urged to upgrade as soon as
possible.
Mode of attack: These could be exploited through a web browser.
Complexity of attack: Low
Impact: Integrity of financial data could be compromised. This could be
used by a competent inside attacker to hide embezzlement activities and the
like.
Severity: Critical
Other affected software: SQL-Ledger 2.x (all versions). It is unknown how
many other SQL-Ledger forks are vulnerable.
These vulnerabilities were discovered by the LedgerSMB core team in the
process of routine code audits and fixing bugs reported by users.
Best Wishes,
Chris Travers
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Ledger-smb-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ledger-smb-users
