{"id":"CVE-2024-23831","summary":"Privilege escalation through CSRF attack on 'setup.pl'","details":"LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB database administrator has an active session in /setup.pl, an attacker can trick the admin into clicking on a link which automatically submits a request to setup.pl without the admin's consent.  This request can be used to create a new user account with full application (/login.pl) privileges, leading to privilege escalation.  The vulnerability is patched in versions 1.10.30 and 1.11.9.\n","aliases":["GHSA-98ff-f638-qxjm"],"modified":"2026-04-29T04:11:32.510428Z","published":"2024-02-02T15:34:12.121Z","database_specific":{"cwe_ids":["CWE-352"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/23xxx/CVE-2024-23831.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/23xxx/CVE-2024-23831.json"},{"type":"ADVISORY","url":"https://github.com/ledgersmb/LedgerSMB/security/advisories/GHSA-98ff-f638-qxjm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-23831"},{"type":"FIX","url":"https://github.com/ledgersmb/LedgerSMB/commit/8c2ae5be68a782d62cb9c0e17c0127bf30ef4165"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ledgersmb/ledgersmb","events":[{"introduced":"ec3120dc8c32494b9244c00595ecf75be930ee72"},{"fixed":"561ba72820038003b4b3ccadbb10b3a4fb69e4ab"},{"introduced":"01e7041a3f7ccc2e2e3330d155e4ea785ba76d10"},{"fixed":"affcbedcc4d7371195947ef652c20ad54f4623ad"},{"fixed":"8c2ae5be68a782d62cb9c0e17c0127bf30ef4165"}],"database_specific":{"versions":[{"introduced":"1.3.0"},{"fixed":"1.10.30"},{"introduced":"1.11.0"},{"fixed":"1.11.9"}]}}],"versions":["1.11.0","1.11.1","1.11.2","1.11.3","1.11.4","1.11.5","1.11.6","1.11.7","1.11.8"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-23831.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}