DescriptionMultiple SQL injection vulnerabilities in the delete subroutine in SQL-Ledger 2.8.24 allow remote authenticated users to execute arbitrary SQL commands via the (1) id and possibly (2) db parameters in a Delete action to the output of a Vendors>Reports>Search search operation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs562639

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sql-ledger (PTS)wheezy3.0.3-1vulnerable
sid, stretch3.0.8-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


Only supported behind an authenticated HTTP zone, see README.Debian

Search for package or bug name: Reporting problems