CVE-2024-9102 – phpLDAPadmin: Improper Neutralization of Formula Elements
https://notcve.org/view.php?id=CVE-2024-9102
phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Thus, this could lead to CSV Formula Injection. • https://github.com/leenooks/phpLDAPadmin/commit/ea17aadef46fd29850160987fe7740ceed1381ad#diff-93b9f3e6d4c5bdacf469ea0ec74c1e9217ca6272da9be5a1bfd711f7da16f9e3R240 https://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.0 https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVE-2020-35132
https://notcve.org/view.php?id=CVE-2020-35132
An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 that allows users to store malicious values that may be executed by other users at a later time via get_request in lib/function.php. Se detectó un problema de tipo XSS en phpLDAPadmin versiones anteriores a 1.2.6.2, que permite a usuarios almacenar valores maliciosos que pueden ser ejecutados por otros usuarios en un momento posterior por medio de la función get_request en la biblioteca lib/function.php • https://bugs.launchpad.net/ubuntu/+source/phpldapadmin/+bug/1906474 https://github.com/leenooks/phpLDAPadmin/commit/c87571f6b7be15d5cd8b26381b6eb31ad03d28e2 https://github.com/leenooks/phpLDAPadmin/compare/1.2.5...1.2.6.2 https://github.com/leenooks/phpLDAPadmin/issues/130 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XA42XDSUPCOXL5ZCP5RGD3FD4JQQWNX https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6PZH3EY2T66N2MGOA7DWCAIVYIJH4BC • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-11107
https://notcve.org/view.php?id=CVE-2017-11107
phpLDAPadmin through 1.2.3 has XSS in htdocs/entry_chooser.php via the form, element, rdn, or container parameter. phpLDAPadmin hasta versión 1.2.3 presenta una vulnerabilidad de tipo cross-site scripting XSS en el archivo htdocs/entry_chooser.php por medio de los parámetros form, element, rdn o container. • https://bugs.launchpad.net/ubuntu/+source/phpldapadmin/+bug/1701731 https://github.com/leenooks/phpLDAPadmin/issues/50 https://lists.debian.org/debian-lts-announce/2018/10/msg00023.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-0834 – phpLDAPadmin 1.2.2 - 'base' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-0834
Cross-site scripting (XSS) vulnerability in lib/QueryRender.php in phpLDAPadmin 1.2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the base parameter in a query_engine action to cmd.php. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en lib/QueryRender.php en phpLDAPadmin v1.2.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro base en una acción query_engin sobre cmd.php • https://www.exploit-db.com/exploits/36654 http://openwall.com/lists/oss-security/2012/02/02/9 http://openwall.com/lists/oss-security/2012/02/03/3 http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin%3Ba=commit%3Bh=7dc8d57d6952fe681cb9e8818df7f103220457bd http://secunia.com/advisories/47852 http://www.mandriva.com/security/advisories?name=MDVSA-2012:020 https://sourceforge.net/tracker/index.php?func=detail&aid=3477910&group_id=61828&atid=498546 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-4074 – phpLDAPadmin 1.2.1.1 - Remote PHP Code Injection
https://notcve.org/view.php?id=CVE-2011-4074
Cross-site scripting (XSS) vulnerability in cmd.php in phpLDAPadmin 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via an _debug command. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en cmd.php en phpLDAPadmin v1.2.x anterior a v1.2.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de un comando _debug. • https://www.exploit-db.com/exploits/18021 http://openwall.com/lists/oss-security/2011/10/24/9 http://openwall.com/lists/oss-security/2011/10/25/2 http://osvdb.org/76593 http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin%3Ba=blobdiff%3Bf=htdocs/cmd.php%3Bh=0ddf0044355abc94160be73122eb34f3e48ab2d9%3Bhp=34f3848fe4a6d4c00c7c568afa81f59579f5d724%3Bhb=64668e882b8866fae0fa1b25375d1a2f3b4672e2%3Bhpb=caeba72171ade4f588fef1818aa4f6243a68b85e http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page http://secunia& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •