cbcvebase.
CVE-2022-31086
published 2022-06-27

CVE-2022-31086: LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0…

PriorityP357high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.15%
79.8th percentile
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the /config/templates/pdf/ directory is accessible for remote users. This is not a default configuration of LAM. This issue has been fixed in version 8.0. There are no known workarounds for this issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianldap-account-manager< ldap-account-manager 8.0.1-1 (bookworm)ldap-account-manager 8.0.1-1 (bookworm)
ldap-account-managerldap_account_manager< 8.08.0
ldapaccountmanagerlam< 8.08.0

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.06.6MEDIUMCVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.