1.8.18 Released

Submitted by ehu on Mon, 08/23/2021 - 14:26

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application. This
release contains three fixes for security vulnerabilities. Users are
urged to upgrade as soon as possible. Special thanks go to "ranjit-git",
and sudheendra17, users of the https://huntr.dev/ platform, for disclosing
these issues responsibly to the development team. And to the platform
itself for sponsoring the work of these researchers.
This release contains the following fixes and improvements:

Read more about 1.8.18 Released

1.7.33 Released

Submitted by ehu on Mon, 08/23/2021 - 14:23

Read more about 1.7.33 Released

1.9 release notes

Submitted by ehu on Sun, 08/22/2021 - 06:58

What's new and notable in LedgerSMB 1.9

Customer/Vendor drop-down on invoices searchable
E-mailed documents stored in the database
Searching open invoices for payment by customer/vendor name
A new command line application for administrative tasks and automation
"GIFI" selections are now hidden when no GIFI is configured
Replace "Ignore Year-ends" with opening or closing balances on balance sheet report
Mailing of aging reports
'Update' no longer clobbers saved invoices and transactions
Optimized

Read more about 1.9 release notes
Log in or register to post comments

Upgrading LedgerSMB 1.8.x to 1.8.y

Submitted by ehu on Sun, 08/22/2021 - 03:10

There are two steps to upgrading a LedgerSMB 1.8.x installation to 1.8.y (x smaller than y):

Upgrade the software
Upgrade the company database

The second step has to be executed for each company database that's set up.

Upgrade the software

The steps to upgrade the software differ between Docker or tarball (from source) installations.

Upgrading Docker installations

In case the installation was created using the docker-compose infrastructure provided by the project, the upgrade should be as simple as running

Read more about Upgrading LedgerSMB 1.8.x to 1.8.y
Log in or register to post comments

Security advisory for CVE-2021-3731 (Clickjacking)

Submitted by ehu on Fri, 08/20/2021 - 14:22

Read more about Security advisory for CVE-2021-3731 (Clickjacking)

Insufficient protection against 'clickjacking'

Summary

LedgerSMB does not sufficiently guard against being wrapped by
other sites, making it vulnerable to 'clickjacking. This allows
an attacker to trick a targetted user to execute unintended actions.

Known vulnerable

All of:

Security advisory for CVE-2021-3693 (Cross site scripting)

Submitted by ehu on Fri, 08/20/2021 - 03:14

Read more about Security advisory for CVE-2021-3693 (Cross site scripting)

DOM cross-site scripting of authenticated users in LedgerSMB

Summary

LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.

Known vulnerable

All of:

- 1.5.0 upto 1.5.30 (including)
- 1.6.0 upto 1.6.33 (including)
- 1.7.0 upto 1.7.32 (including)
- 1.8.0 upto 1.8.17 (including)

Security advisory for CVE-2021-3694 (Cross site scripting)

Submitted by ehu on Fri, 08/20/2021 - 03:13

Read more about Security advisory for CVE-2021-3694 (Cross site scripting)

Reflected cross-site scripting of authenticated users in LedgerSMB

Summary

LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.

Known vulnerable

All of:

Hill Holdings Ltd - Barbados

Submitted by ehu on Sun, 08/08/2021 - 01:47

Hill Holdings Ltd is small company in Barbados, in the sunny Caribbean. We are in the vacation rentals business, and we use LedgerSMB's General Ledger module to keep track of our income and expenses.

From a technical point of view, I found LedgerSMB easy to install. Upgrades and fixes come out frequently, and it is very easy to upgrade via a small Bash script that I wrote myself.

Read more about Hill Holdings Ltd - Barbados

1.8.17 Released

Submitted by LedgerSMB_Team on Wed, 07/28/2021 - 14:12

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.17

* Align filters between UI and the database on draft transaction search (#5692)
* Correctly present manual tax and invoice total on reversing invoice (#5721)
* Repeatedly saving a draft invoice pops up an SQL error (#5679)

Read more about 1.8.17 Released

1.8.16 Released

Submitted by LedgerSMB_Team on Sat, 07/10/2021 - 10:46

The LedgerSMB development team is happy to announce yet another new
version of its open source ERP and accounting application.
This release contains the following fixes and improvements:

Changelog for 1.8.16

Read more about 1.8.16 Released

Subscribe to