CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-9102 – phpLDAPadmin: Improper Neutralization of Formula Elements
https://notcve.org/view.php?id=CVE-2024-9102
19 Dec 2024 — phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Thus, this could lead to CSV Formula Injection. phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated V... • https://github.com/leenooks/phpLDAPadmin/commit/ea17aadef46fd29850160987fe7740ceed1381ad#diff-93b9f3e6d4c5bdacf469ea0ec74c1e9217ca6272da9be5a1bfd711f7da16f9e3R240 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-9101 – phpLDAPadmin: Reflected Cross-Site Scripting in entry_chooser.php
https://notcve.org/view.php?id=CVE-2024-9101
19 Dec 2024 — A reflected cross-site scripting (XSS) vulnerability in the 'Entry Chooser' of phpLDAPadmin (version 1.2.1 through the latest version, 1.2.6.7) allows attackers to execute arbitrary JavaScript in the user's browser via the 'element' parameter, which is unsafely passed to the JavaScript 'eval' function. However, exploitation is limited to specific conditions where 'opener' is correctly set. • https://github.com/leenooks/phpLDAPadmin/blob/master/htdocs/entry_chooser.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 1CVE-2020-35132
https://notcve.org/view.php?id=CVE-2020-35132
11 Dec 2020 — An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 that allows users to store malicious values that may be executed by other users at a later time via get_request in lib/function.php. Se detectó un problema de tipo XSS en phpLDAPadmin versiones anteriores a 1.2.6.2, que permite a usuarios almacenar valores maliciosos que pueden ser ejecutados por otros usuarios en un momento posterior por medio de la función get_request en la biblioteca lib/function.php • https://bugs.launchpad.net/ubuntu/+source/phpldapadmin/+bug/1906474 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2011-4082
https://notcve.org/view.php?id=CVE-2011-4082
26 Nov 2019 — A local file inclusion flaw was found in the way the phpLDAPadmin before 0.9.8 processed certain values of the "Accept-Language" HTTP header. A remote attacker could use this flaw to cause a denial of service via specially-crafted request. Se encontró un fallo de inclusión de archivo local en la manera en que phpLDAPadmin versiones anteriores a 0.9.8 procesó determinados valores del encabezado HTTP "Accept-Language". Un atacante remoto podría usar este fallo para causar una denegación de servicio por medio ... • https://access.redhat.com/security/cve/cve-2011-4082 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-12689
https://notcve.org/view.php?id=CVE-2018-12689
22 Jun 2018 — phpLDAPadmin 1.2.2 allows LDAP injection via a crafted server_id parameter in a cmd.php?cmd=login_form request, or a crafted username and password in the login panel. phpLDAPadmin 1.2.2 permite la inyección LDAP mediante un parámetro server_id en una petición cmd.php?cmd=login_form o un nombre de usuario y contraseña manipulados en el panel de inicio de sesión. • https://www.exploit-db.com/exploits/44926 •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2017-11107 – Ubuntu Security Notice USN-4620-1
https://notcve.org/view.php?id=CVE-2017-11107
08 Jul 2017 — phpLDAPadmin through 1.2.3 has XSS in htdocs/entry_chooser.php via the form, element, rdn, or container parameter. phpLDAPadmin hasta versión 1.2.3 presenta una vulnerabilidad de tipo cross-site scripting XSS en el archivo htdocs/entry_chooser.php por medio de los parámetros form, element, rdn o container. It was discovered that phpLDAPadmin didn't properly sanitize before being echoed to the user. A remote attacker could inject arbitrary HTML/Javascript code in a user's context and cause a crash, resulting... • https://bugs.launchpad.net/ubuntu/+source/phpldapadmin/+bug/1701731 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 10%CPEs: 1EXPL: 2CVE-2012-0834 – phpLDAPadmin 1.2.2 - 'base' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-0834
11 Feb 2012 — Cross-site scripting (XSS) vulnerability in lib/QueryRender.php in phpLDAPadmin 1.2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the base parameter in a query_engine action to cmd.php. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en lib/QueryRender.php en phpLDAPadmin v1.2.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro base en una acción query_engin sobre cmd.php • https://www.exploit-db.com/exploits/36654 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 16%CPEs: 8EXPL: 3CVE-2011-4074 – phpLDAPadmin 1.2.1.1 - Remote PHP Code Injection
https://notcve.org/view.php?id=CVE-2011-4074
02 Nov 2011 — Cross-site scripting (XSS) vulnerability in cmd.php in phpLDAPadmin 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via an _debug command. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en cmd.php en phpLDAPadmin v1.2.x anterior a v1.2.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de un comando _debug. • https://www.exploit-db.com/exploits/18021 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 83%CPEs: 8EXPL: 6CVE-2011-4075 – phpLDAPadmin 1.2.1.1 - Remote PHP Code Injection
https://notcve.org/view.php?id=CVE-2011-4075
02 Nov 2011 — The masort function in lib/functions.php in phpLDAPadmin 1.2.x before 1.2.2 allows remote attackers to execute arbitrary PHP code via the orderby parameter (aka sortby variable) in a query_engine action to cmd.php, as exploited in the wild in October 2011. La función masort en lib/functions.php en phpLDAPadmin v1.2.x antes de v1.2.2 permite a atacantes remotos ejecutar código PHP de su elección a través del parámetro orderby (también conocido como la variable SortBy) en una acción query_engine a cmd.php, ta... • https://www.exploit-db.com/exploits/18031 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 12%CPEs: 1EXPL: 4CVE-2009-4427 – phpLDAPadmin - Local File Inclusion
https://notcve.org/view.php?id=CVE-2009-4427
28 Dec 2009 — Directory traversal vulnerability in cmd.php in phpLDAPadmin 1.1.0.5 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the cmd parameter. Vulnerabilidad de salto de directorio en cmd.php en phpLDAPadmin v1.1.0.5 permite a atacantes remotos incluir y ejecutar ficheros de su elección mediante los caracteres .. (punto punto) en el parámetro "cmd". • https://www.exploit-db.com/exploits/10410 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •