Source: ledgersmb Version: 1.6.9+ds-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> Control: found -1 1.6.9+ds-1 Control: fixed -1 1.6.9+ds-1+deb10u2 Control: fixed -1 1.6.9+ds-2+deb11u2 Hi, The following vulnerabilities were published for ledgersmb. CVE-2021-3693[0]: | LedgerSMB does not check the origin of HTML fragments merged into the | browser's DOM. By sending a specially crafted URL to an authenticated | user, this flaw can be abused for remote code execution and | information disclosure. CVE-2021-3694[1]: | LedgerSMB does not sufficiently HTML-encode error messages sent to the | browser. By sending a specially crafted URL to an authenticated user, | this flaw can be abused for remote code execution and information | disclosure. CVE-2021-3731[2]: | LedgerSMB does not sufficiently guard against being wrapped by other | sites, making it vulnerable to 'clickjacking'. This allows an attacker | to trick a targetted user to execute unintended actions. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3693 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3693 [1] https://security-tracker.debian.org/tracker/CVE-2021-3694 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3694 [2] https://security-tracker.debian.org/tracker/CVE-2021-3731 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3731 Please adjust the affected versions in the BTS as needed. Regards, Salvatore