CVE-2024-23831: 
Linux Debian vulnerability analysis and mitigation

LedgerSMB, a free web-based double-entry accounting system, was found to contain a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2024-23831. The vulnerability was discovered in February 2024 and affects versions from 1.3.0 through 1.10.29 and 1.11.0 through 1.11.8. The issue has been patched in versions 1.10.30 and 1.11.9 (GitHub Advisory).

The vulnerability is classified as a Cross-Site Request Forgery (CWE-352) with a CVSS v3.1 Base Score of 7.5 (HIGH) and vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The attack requires high complexity but no privileges, with required user interaction. The vulnerability exists in the setup.pl interface, where an attacker can exploit missing CSRF protections to submit unauthorized requests when a database administrator has an active session (GitHub Advisory).

When successfully exploited, the vulnerability allows an attacker to create a new user account with full application (/login.pl) privileges for a single company database. While the created user doesn't gain full access to setup.pl, they can perform any action supported by login.pl. In multi-company setups, if companies share users, the attacker could potentially gain access to other companies with the rights of the affected user accounts (GitHub Advisory).

The primary mitigation is to upgrade to the patched versions 1.10.30 or 1.11.9. For users who cannot upgrade, a workaround is available by not exposing and using /setup.pl, instead utilizing the command-line application 'ledgersmb-admin' for administrative tasks. Password resets can be performed using regular /login.pl functionality or through PostgreSQL's 'psql' command line tool. Versions prior to 1.10 are end-of-life and will not receive security fixes from the LedgerSMB project (GitHub Advisory).