CVE-2024-23831
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-23831
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-23831.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-23831
- Aliases
-
- GHSA-98ff-f638-qxjm
- Downstream
- Published
- 2024-02-02T15:34:12Z
- Modified
- 2025-10-20T20:25:13.147559Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Privilege escalation through CSRF attack on 'setup.pl'
- Details
-
LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB database administrator has an active session in /setup.pl, an attacker can trick the admin into clicking on a link which automatically submits a request to setup.pl without the admin's consent. This request can be used to create a new user account with full application (/login.pl) privileges, leading to privilege escalation. The vulnerability is patched in versions 1.10.30 and 1.11.9.
- Database specific
{ "cwe_ids": [ "CWE-352" ] }- References
Affected packages
Git / github.com/ledgersmb/ledgersmb
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ledgersmb/ledgersmb
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/ledgersmb/ledgersmb
- Events
Affected versions
1.*
1.10.0
1.10.1
1.10.10
1.10.11
1.10.12
1.10.13
1.10.14
1.10.15
1.10.16
1.10.17
1.10.18
1.10.19
1.10.2
1.10.20
1.10.21
1.10.22
1.10.23
1.10.24
1.10.25
1.10.26
1.10.27
1.10.28
1.10.29
1.10.3
1.10.4
1.10.5
1.10.6
1.10.7
1.10.8
1.10.9
1.11.0
1.11.1
1.11.2
1.11.3
1.11.4
1.11.5
1.11.6
1.11.7
1.11.8
1.3.42
1.4.0-rc2
1.4.1
1.4.12
1.4.7
1.4.7-rc1
1.4.8-rc2
1.4.9-2
1.5-beta2
1.5.0-beta1
1.5.0-beta3
1.5.0-beta4
1.5.0-beta5
1.5.0-beta6
1.7.0-alpha1
1.7.0-beta1
v.*
v.1.3.41