CVE-2024-9101 — Cross-site Scripting in Phpldapadmin

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

2.1LOWNVD

EPSS

0.3%

top 46.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phpldapadmin Project Phpldapadmin Debian Phpldapadmin Phpldapadmin

Timeline

PublishedDec 19

Description

A reflected cross-site scripting (XSS) vulnerability in the 'Entry Chooser' of phpLDAPadmin (version 1.2.1 through the latest version, 1.2.6.7) allows attackers to execute arbitrary JavaScript in the user's browser via the 'element' parameter, which is unsafely passed to the JavaScript 'eval' function. However, exploitation is limited to specific conditions where 'opener' is correctly set.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

Affected Packages3 packages

▶debiandebian/phpldapadmin< phpldapadmin 1.2.6.7-4 (forky)

▶Debianphpldapadmin_project/phpldapadmin< 1.2.6.7-4+1

▶CVEListV5phpldapadmin/phpldapadmin1.2.1, 1.2.6.7+1

🔴Vulnerability Details

OSV

CVE-2024-9101: A reflected cross-site scripting (XSS) vulnerability in the 'Entry Chooser' of phpLDAPadmin (version 1↗2024-12-19

▶

GHSA

GHSA-6mpf-h5jc-fvrw: A reflected cross-site scripting (XSS) vulnerability in the 'Entry Chooser' of phpLDAPadmin (version 1↗2024-12-19

▶

📋Vendor Advisories

Debian

CVE-2024-9101: phpldapadmin - A reflected cross-site scripting (XSS) vulnerability in the 'Entry Chooser' of p...↗2024

▶