==========================================================================
Ubuntu Security Notice USN-7647-1
July 17, 2025

ledgersmb vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in LedgerSMB.

Software Description:
- ledgersmb: A libre software double entry accounting and enterprise resource planning (ERP) system

Details:

It was discovered that LedgerSMB did not check the origin of HTML
fragments. An attacker could possibly use this issue to send a
maliciously crafted URL to the server and obtain sensitive
information, or execute arbitrary code. This issue only affected
Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.04.
(CVE-2021-3693)

It was discovered that LedgerSMB did not properly encode HTML
error messages. An attacker could possibly use this issue to send
a maliciously crafted URL to the server and obtain sensitive
information, or execute arbitrary code. This issue only affected
Ubuntu 18.04 LTS. (CVE-2021-3694)

It was discovered that LedgerSMB did not guard against discrete
link redirections. An attacker could possibly use this issue to
obtain sensitive information. This issue only affected Ubuntu
16.04 LTS and Ubuntu 18.04 LTS. (CVE-2021-3731)

It was discovered that LedgerSMB did not properly set the 'Secure'
attribute during HTTPS sessions. If a user were tricked into using
an unencrypted connection, an attacker could possibly use this
issue to obtain sensitive information. This issue only affected
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu
25.04. (CVE-2021-3882)

It was discovered that LedgerSMB could create admin accounts via
a URL. If an admin were tricked into clicking a maliciously
crafted URL, an attacker could possibly use this issue to
achieve privilege escalation. This issue only affected Ubuntu 20.04
LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.04.
(CVE-2024-23831)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.04
  ledgersmb                       1.6.33+ds-2.2ubuntu0.25.04.1

Ubuntu 24.04 LTS
  ledgersmb                       1.6.33+ds-2.1ubuntu0.1

Ubuntu 22.04 LTS
  ledgersmb                       1.6.33+ds-1ubuntu0.1

Ubuntu 20.04 LTS
  ledgersmb                       1.6.9+ds-1ubuntu0.1+esm1
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  ledgersmb                       1.4.42+ds-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  ledgersmb                       1.3.46-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

After a standard system update you need to restart LedgerSMB to make
all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7647-1
  CVE-2021-3693, CVE-2021-3694, CVE-2021-3731, CVE-2021-3882,
  CVE-2024-23831

Package Information:
  https://launchpad.net/ubuntu/+source/ledgersmb/1.6.33+ds-2.2ubuntu0.25.04.1
  https://launchpad.net/ubuntu/+source/ledgersmb/1.6.33+ds-2.1ubuntu0.1
  https://launchpad.net/ubuntu/+source/ledgersmb/1.6.33+ds-1ubuntu0.1