|Resource Management Errors|
|Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')|
|Vulnerability||Severity Score||Release Date||Summary|
|CVE-2008-4077||7.8||Sept. 15, 2008||
The CGI scripts in (1) LedgerSMB (LSMB) before 1.2.15 and (2) SQL-Ledger 2.8.17 and earlier allow remote attackers to cause a denial of service (resource exhaustion) via an HTTP POST request with a large Content-Length.
|CVE-2006-4244||7.5||Aug. 30, 2006||
SQL-Ledger 2.4.4 through 2.6.17 authenticates users by verifying that the value of the sql-ledger-[username] cookie matches the value of the sessionid parameter, which allows remote attackers to gain access as any logged-in user by setting the cookie and the parameter to the same value.
|CVE-2008-4078||6.5||Sept. 15, 2008||
SQL injection vulnerability in the AR/AP transaction report in (1) LedgerSMB (LSMB) before 1.2.15 and (2) SQL-Ledger 2.8.17 and earlier allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.