Ldap-Account-Manager Ldap Account Manager vulnerabilities

CVE-2026-27895 [HIGH] CWE-185 CVE-2026-27895: LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, the PDF export component does not correctly validate uploaded file extensions. This way any file type (including .php files) can be uploaded. With GHSA-w7xq-vjr3-p9cf, an attacker can achieve remote co

CVE-2026-27894 [HIGH] CWE-98 CVE-2026-27894: LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary cod

CVE-2024-23333 [MEDIUM] CWE-74 CVE-2024-23333: LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM's LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM's log configuration allows to specify arbitrary paths for log files. Prior to version 8.7, an attacker could exploit this by creating a PHP file and cause LAM to log some PHP code to this file. When the file is then accessed via web the code would be exec

CVE-2022-31087 [HIGH] CWE-74 CVE-2022-31087: LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the tmp directory, which is accessible by /lam/tmp/, allows interpretation of .php (and .php5/.php4/.phpt/etc) files. An attacker capable of writing files under www-data privileges can write a web-sh

CVE-2022-31086 [HIGH] CWE-74 CVE-2022-31086: LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the /config/templates/pdf/ directory is accessible for r

CVE-2022-31084 [HIGH] CWE-88 CVE-2022-31084: LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 There are cases where LAM instantiates objects from arbitrary classes. An attacker can inject the first constructor argument. This can lead to code execution if non-LAM classes are instantiated that

CVE-2022-31088 [MEDIUM] CWE-74 CVE-2022-31088: LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the user name field at login could be used to enumerate LDAP data. This is only the case for LDAP search configuration. This issue has been fixed in version 8.0.

CVE-2022-31085 [MEDIUM] CWE-311 CVE-2022-31085: LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the session files include the LDAP user name and password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled by configuration. This issue has been fixed in versi

CVE-2022-24851 [MEDIUM] CWE-22 CVE-2022-24851: LDAP Account Manager (LAM) is an open source web frontend for managing entries stored in an LDAP dir LDAP Account Manager (LAM) is an open source web frontend for managing entries stored in an LDAP directory. The profile editor tool has an edit profile functionality, the parameters on this page are not properly sanitized and hence leads to stored XSS attacks. An authenticated user can store XSS payloads in the profiles, which gets triggered when any

CVE-2012-1114 [MEDIUM] CWE-79 CVE-2012-1114: A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filte A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.

CVE-2012-1115 [MEDIUM] CWE-79 CVE-2012-1115: A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the expor A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.

CVE-2018-8764 [HIGH] CWE-352 CVE-2018-8764: Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 places a CSRF token in the sec_tok Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 places a CSRF token in the sec_token parameter of a URI, which makes it easier for remote attackers to defeat a CSRF protection mechanism by leveraging logging.

CVE-2018-8763 [MEDIUM] CWE-79 CVE-2018-8763: Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 has XSS via the dn parameter to th Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 has XSS via the dn parameter to the templates/3rdParty/pla/htdocs/cmd.php URI or the template parameter to the templates/3rdParty/pla/htdocs/cmd.php?cmd=rename_form URI.

CVE-2013-4453 [MEDIUM] CWE-79 CVE-2013-4453: Cross-site scripting (XSS) vulnerability in templates/login.php in LDAP Account Manager (LAM) 4.3 an Cross-site scripting (XSS) vulnerability in templates/login.php in LDAP Account Manager (LAM) 4.3 and 4.2.1 allows remote attackers to inject arbitrary web script or HTML via the language parameter.