CVE-2009-3581

Name of the Vulnerable Software and Affected Versions SQL-Ledger version 2.8.24

Description The issue allows remote authenticated users to inject arbitrary web script or HTML via specific fields, including the DCN Description field in the Accounts Receivables menu item for Add Transaction, the Description field in the Accounts Payable menu item for Add Transaction, the name field in the Customers menu item for Add Customer, or the Vendor menu item for Add Vendor.

Recommendations For SQL-Ledger version 2.8.24, consider restricting access to the affected fields, such as the DCN Description field, the Description field, and the name fields in the Customers and Vendor menu items, until a patch is available. As a temporary workaround, avoid using these fields for input that may contain web script or HTML.