CVE-2007-3907

Name of the Vulnerable Software and Affected Versions: LedgerSMB versions 1.2.0 through 1.2.6

Description: The issue allows remote attackers to bypass authentication and perform certain actions as an arbitrary user. This is achieved via unspecified vectors involving a URL with a redirect parameter value, along with a callback parameter containing an escaped URL that specifies the action.

Recommendations: For LedgerSMB versions 1.2.0 through 1.2.6, consider restricting access to the login.pl module to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using the redirect and callback parameters in URLs until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.