[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security Advisory: Multiple SQL injection issues discovered in 1.2.7, patched in 1.2.8

LedgerSMB 1.2.8 has been released in part in response to multiple SQL injection issues which were discovered in the 1.2.x codebase.  These occur because input is not properly validated and/or escaped prior to the creation of database queries.  Users of the software are urged to upgrade as soon as possible.

Mode of attack:  These could be exploited through a web browser.
Complexity of attack:  Low
Impact:  Integrity of financial data could be compromised.  This could be used by a competent inside attacker to hide embezzlement activities and the like.
Severity:  Critical

Other affected software:  SQL-Ledger 2.x (all versions).  It is unknown how many other SQL-Ledger forks are vulnerable.

These vulnerabilities were discovered by the LedgerSMB core team in the process of routine code audits and fixing bugs reported by users.

Best Wishes,
Chris Travers