CVE-2022-24851 — Path Traversal in Ldap Account Manager

CWE-22 — Path Traversal CWE-79 — Cross-site Scripting3 documents3 sources

Severity

4.8MEDIUMNVD

EPSS

0.9%

top 23.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ldapaccountmanager LAM Ldap-account-manager Ldap Account Manager Debian Ldap-account-manager +1 more

Timeline

PublishedApr 15

Description

LDAP Account Manager (LAM) is an open source web frontend for managing entries stored in an LDAP directory. The profile editor tool has an edit profile functionality, the parameters on this page are not properly sanitized and hence leads to stored XSS attacks. An authenticated user can store XSS payloads in the profiles, which gets triggered when any other user try to access the edit profile page. The pdf editor tool has an edit pdf profile functionality, the logoFile parameter in it is not prop…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5ldapaccountmanager/lam< 7.9.1

▶debiandebian/ldap-account-manager< ldap-account-manager 7.9.1-1 (bookworm)

▶NVDldap-account-manager/ldap_account_manager< 7.9.1

Also affects: Debian Linux 11.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-24851: LDAP Account Manager (LAM) is an open source web frontend for managing entries stored in an LDAP directory↗2022-04-15

▶

📋Vendor Advisories

Debian

CVE-2022-24851: ldap-account-manager - LDAP Account Manager (LAM) is an open source web frontend for managing entries s...↗2022

▶