Beware of Privilege Escalation Vulnerability in LedgerSMB Accounting Software

CVECVE-2024-23831
CVSScvssV3_1: 7.5
SourceCVE-2024-23831

LedgerSMB is an open source accounting software used by many small businesses to manage their finances and accounts. Unfortunately, a privilege escalation vulnerability was discovered in older versions of this software that could allow attackers to gain administrative access.

The vulnerability resides in the setup page of LedgerSMB (/setup.pl). If an administrator is logged into this page, a malicious actor could trick them into clicking a specially crafted link. This link would automatically submit a request to the setup page without the admin’s consent or knowledge.

By submitting this request, the attacker could then create a new user account with full administrative privileges, essentially elevating their access to the highest level. With admin access, sensitive financial data and overall control of the accounting system is compromised.

To exploit this, the attacker would need to social engineer the administrator into clicking a link while they are logged into the setup interface. No other interaction from the victim would be needed.

The good news is that this vulnerability has been patched in LedgerSMB versions 1.10.30 and newer. Users are advised to always keep their software updated to the latest versions to protect against known issues. Administrators should also be cautious of any unsolicited links received, even if they appear to come from a trusted source. Taking basic precautions like these helps prevent privilege escalation attacks.

References