{"id":"CVE-2021-3694","details":"LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.","modified":"2026-04-10T04:34:49.119154Z","published":"2021-08-23T13:15:07.780Z","references":[{"type":"ADVISORY","url":"https://ledgersmb.org/cve-2021-3694-cross-site-scripting"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4962"},{"type":"ADVISORY","url":"https://huntr.dev/bounties/ef7f4cf7-3a81-4516-b261-f5b6ac21430c"},{"type":"FIX","url":"https://github.com/ledgersmb/ledgersmb/commit/98fa476d46a4a7e5e9492ed69b4fa190be5547fc"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ledgersmb/ledgersmb","events":[{"introduced":"ec3120dc8c32494b9244c00595ecf75be930ee72"},{"last_affected":"e4fadfc9b121160dd393cf2f90d6a65a76b13b4c"},{"introduced":"556e093b59d91afa384f882c31271e85229aade8"},{"last_affected":"ac521b6caed3ee1a07a297e26ad07df9c8c14e13"},{"introduced":"5fb87569525daa80b39f08bd61dfaf041dca6519"},{"last_affected":"847ab6aabd2e64f286a867a5dbfd2bca3a382997"},{"introduced":"7f377d50e554d1672a549e19dc6c05dccbf8fb03"},{"last_affected":"acf6dcfe2cf0fef291c02d06030bc2e712cfc28f"},{"introduced":"9e949f0dbdcfd21ae397f44b91c28e01ef5f9817"},{"last_affected":"08762c39957a3edd025d245dbfb253613c39da30"},{"introduced":"8f505d3e6fd0b4004ec35aa5b7c0769107c28a9e"},{"last_affected":"26d278b955f676edf6567aa1a0057ce5464ebe13"},{"fixed":"98fa476d46a4a7e5e9492ed69b4fa190be5547fc"}],"database_specific":{"versions":[{"introduced":"1.3.0"},{"last_affected":"1.3.47"},{"introduced":"1.4.0"},{"last_affected":"1.4.42"},{"introduced":"1.5.0"},{"last_affected":"1.5.30"},{"introduced":"1.6.0"},{"last_affected":"1.6.33"},{"introduced":"1.7.0"},{"last_affected":"1.7.32"},{"introduced":"1.8.0"},{"last_affected":"1.8.17"}]}}],"versions":["1.4.0","1.4.1-2","1.4.10","1.4.13","1.4.15","1.4.16","1.4.17","1.4.18","1.4.19","1.4.2","1.4.20","1.4.21","1.4.22","1.4.23","1.4.24","1.4.25","1.4.26","1.4.28","1.4.29","1.4.3","1.4.30","1.4.31","1.4.32","1.4.33","1.4.34","1.4.35","1.4.36","1.4.37","1.4.38","1.4.39","1.4.4","1.4.40","1.4.41","1.4.42","1.4.5","1.4.8","1.4.8--rc2","1.4.8-rc1","1.4.9","1.4.9-3","1.5.0","1.5.1","1.5.10","1.5.11","1.5.12","1.5.13","1.5.14","1.5.15","1.5.16","1.5.17","1.5.18","1.5.19","1.5.2","1.5.20","1.5.21","1.5.22","1.5.23","1.5.24","1.5.25","1.5.26","1.5.27","1.5.28","1.5.29","1.5.3","1.5.30","1.5.4","1.5.5","1.5.6","1.5.7","1.5.8","1.5.9","1.6.0","1.6.1","1.6.10","1.6.11","1.6.12","1.6.13","1.6.14","1.6.15","1.6.16","1.6.17","1.6.18","1.6.19","1.6.2","1.6.20","1.6.21","1.6.22","1.6.23","1.6.24","1.6.25","1.6.26","1.6.27","1.6.28","1.6.29","1.6.3","1.6.30","1.6.31","1.6.32","1.6.33","1.6.4","1.6.5","1.6.6","1.6.7","1.6.8","1.6.9","1.7.0","1.7.1","1.7.10","1.7.11","1.7.12","1.7.13","1.7.14","1.7.15","1.7.16","1.7.17","1.7.18","1.7.19","1.7.2","1.7.20","1.7.21","1.7.22","1.7.23","1.7.24","1.7.25","1.7.26","1.7.27","1.7.28","1.7.29","1.7.3","1.7.30","1.7.31","1.7.32","1.7.4","1.7.5","1.7.6","1.7.7","1.7.8","1.7.9","1.8.0","1.8.1","1.8.10","1.8.11","1.8.12","1.8.13","1.8.14","1.8.15","1.8.16","1.8.17","1.8.2","1.8.3","1.8.4","1.8.5","1.8.6","1.8.7","1.8.8","1.8.9"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"1.1.0"},{"last_affected":"1.1.12"}]},{"events":[{"introduced":"1.2.0"},{"last_affected":"1.2.26"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3694.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}]}