Ubuntu 22.04 & 25.04: LedgerSMB Critical Security Fixes USN-7647-1
Jul 17, 2025
•
LinuxSecurity Advisories
2 - 3 min read
Topics Covered
Several security issues were fixed in LedgerSMB.
==========================================================================
Ubuntu Security Notice USN-7647-1
July 17, 2025
ledgersmb vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in LedgerSMB.
Software Description:
- ledgersmb: A libre software double entry accounting and enterprise resource planning (ERP) system
Details:
It was discovered that LedgerSMB did not check the origin of HTML
fragments. An attacker could possibly use this issue to send a
maliciously crafted URL to the server and obtain sensitive
information, or execute arbitrary code. This issue only affected
Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.04.
(CVE-2021-3693)
It was discovered that LedgerSMB did not properly encode HTML
error messages. An attacker could possibly use this issue to send
a maliciously crafted URL to the server and obtain sensitive
information, or execute arbitrary code. This issue only affected
Ubuntu 18.04 LTS. (CVE-2021-3694)
It was discovered that LedgerSMB did not guard against discrete
link redirections. An attacker could possibly use this issue to
obtain sensitive information. This issue only affected Ubuntu
16.04 LTS and Ubuntu 18.04 LTS. (CVE-2021-3731)
It was discovered that LedgerSMB did not properly set the 'Secure'
attribute during HTTPS sessions. If a user were tricked into using
an unencrypted connection, an attacker could possibly use this
issue to obtain sensitive information. This issue only affected
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu
25.04. (CVE-2021-3882)
It was discovered that LedgerSMB could create admin accounts via
a URL. If an admin were tricked into clicking a maliciously
crafted URL, an attacker could possibly use this issue to
achieve privilege escalation. This issue only affected Ubuntu 20.04
LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.04.
(CVE-2024-23831)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.04
ledgersmb 1.6.33+ds-2.2ubuntu0.25.04.1
Ubuntu 24.04 LTS
ledgersmb 1.6.33+ds-2.1ubuntu0.1
Ubuntu 22.04 LTS
ledgersmb 1.6.33+ds-1ubuntu0.1
Ubuntu 20.04 LTS
ledgersmb 1.6.9+ds-1ubuntu0.1+esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
ledgersmb 1.4.42+ds-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
ledgersmb 1.3.46-1ubuntu0.1~esm1
Available with Ubuntu Pro
After a standard system update you need to restart LedgerSMB to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7647-1
CVE-2021-3693, CVE-2021-3694, CVE-2021-3731, CVE-2021-3882,
CVE-2024-23831
Package Information:
https://launchpad.net/ubuntu/+source/ledgersmb/1.6.33+ds-2.2ubuntu0.25.04.1
https://launchpad.net/ubuntu/+source/ledgersmb/1.6.33+ds-2.1ubuntu0.1
PREVIOUS
NEXT
Ubuntu 22.04 & 25.04: LedgerSMB Critical Security Fixes USN-7647-1
ubuntu
July 17, 2025
Several security issues were fixed in LedgerSMB.
Summary
A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.04 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in LedgerSMB. Software Description: - ledgersmb: A libre software double entry accounting and enterprise resource planning (ERP) system Details: It was discovered that LedgerSMB did not check the origin of HTML fragments. An attacker could possibly use this issue to send a maliciously crafted URL to the server and obtain sensitive information, or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 25.04. (CVE-2021-3693) It was discovered that LedgerSMB did not properly encode HTML error messages. An attacker could possibly use this issue to send a maliciously crafted URL to the server and obtain sensitive information, or execute arbitrary code. This issue only affected Ubuntu 18.04 LTS. (CVE-2021-3694) It was ...
Read the Full Advisory
Topics Covered
Update Instructions
The problem can be corrected by updating your system to the following package versions: Ubuntu 25.04 ledgersmb 1.6.33+ds-2.2ubuntu0.25.04.1 Ubuntu 24.04 LTS ledgersmb 1.6.33+ds-2.1ubuntu0.1 Ubuntu 22.04 LTS ledgersmb 1.6.33+ds-1ubuntu0.1 Ubuntu 20.04 LTS ledgersmb 1.6.9+ds-1ubuntu0.1+esm1 Available with Ubuntu Pro Ubuntu 18.04 LTS ledgersmb 1.4.42+ds-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS ledgersmb 1.3.46-1ubuntu0.1~esm1 Available with Ubuntu Pro After a standard system update you need to restart LedgerSMB to make all the necessary changes.
References
https://ubuntu.com/security/notices/USN-7647-1
CVE-2021-3693, CVE-2021-3694, CVE-2021-3731, CVE-2021-3882,
CVE-2024-23831
Severity
critical
Lowest
Low
Medium
High
Critical
Ubuntu Security Notice USN-7647-1
Topics Covered
Package Information
https://launchpad.net/ubuntu/+source/ledgersmb/1.6.33+ds-2.2ubuntu0.25.04.1 https://launchpad.net/ubuntu/+source/ledgersmb/1.6.33+ds-2.1ubuntu0.1
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!