CVE-2022-24851 – Stored XSS and path traversal in LDAPAccountManager/lam
https://notcve.org/view.php?id=CVE-2022-24851
LDAP Account Manager (LAM) is an open source web frontend for managing entries stored in an LDAP directory. The profile editor tool has an edit profile functionality, the parameters on this page are not properly sanitized and hence leads to stored XSS attacks. An authenticated user can store XSS payloads in the profiles, which gets triggered when any other user try to access the edit profile page. The pdf editor tool has an edit pdf profile functionality, the logoFile parameter in it is not properly sanitized and an user can enter relative paths like ../../../../../../../../../../../../../usr/share/icons/hicolor/48x48/apps/gvim.png via tools like burpsuite. • https://github.com/LDAPAccountManager/lam/commit/3c6f09a3579e048e224eb5a4c4e3eefaa8bccd49 https://github.com/LDAPAccountManager/lam/issues/170 https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-f2fr-cccr-583v https://www.debian.org/security/2022/dsa-5177 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-1115
https://notcve.org/view.php?id=CVE-2012-1115
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php. Se presenta una vulnerabilidad de tipo Cross-Site Scripting (XSS) en LDAP Account Manager (LAM) Pro versión 3.6, en los parámetros export, add_value_form y dn en el archivo cmd.php. • http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089297.html http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089313.html http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089328.html http://www.openwall.com/lists/oss-security/2012/03/05/24 http://www.openwall.com/lists/oss-security/2012/03/12/1 http://www.openwall.com/lists/oss-security/2012/03/12/10 http://www.securityfocus.com/bid/52255 https://bugzilla.redhat.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-1114
https://notcve.org/view.php?id=CVE-2012-1114
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php. Se presenta una vulnerabilidad de tipo Cross-Site Scripting (XSS) en LDAP Account Manager (LAM) Pro versión 3.6, en el parámetro filter en el archivo cmd.php en una acción export y exporter_id y el parámetro filteruid en el archivo list.php. • http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089297.html http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089313.html http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089328.html http://www.openwall.com/lists/oss-security/2012/03/05/24 http://www.openwall.com/lists/oss-security/2012/03/12/1 http://www.openwall.com/lists/oss-security/2012/03/12/10 http://www.securityfocus.com/bid/52255 https://bugzilla.redhat.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-8764 – LDAP Account Manager 6.2 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-8764
Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 places a CSRF token in the sec_token parameter of a URI, which makes it easier for remote attackers to defeat a CSRF protection mechanism by leveraging logging. Roland Gruber Softwareentwicklung LDAP Account Manager en versiones anteriores a la 6.3 coloca un token CSRF en el parámetro sec_token de un URI. Esto facilita a los atacantes remotos acabar con los mecanismos de protección ante CSRF aprovechando el inicio de sesión. LDAP Account Manager version 6.2 suffers from cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/146858/LDAP-Account-Manager-6.2-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2018/Mar/45 https://www.debian.org/security/2018/dsa-4165 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2018-8763 – LDAP Account Manager 6.2 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-8763
Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 has XSS via the dn parameter to the templates/3rdParty/pla/htdocs/cmd.php URI or the template parameter to the templates/3rdParty/pla/htdocs/cmd.php?cmd=rename_form URI. Roland Gruber Softwareentwicklung LDAP Account Manager, en versiones anteriores a la 6.3, contiene Cross-Site Scripting (XSS) mediante el parámetro dn en el URI templates/3rdParty/pla/htdocs/cmd.php o el parámetro template en el URI templates/3rdParty/pla/htdocs/cmd.php?cmd=rename_form. LDAP Account Manager version 6.2 suffers from cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/146858/LDAP-Account-Manager-6.2-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2018/Mar/45 https://lists.debian.org/debian-lts-announce/2018/04/msg00007.html https://www.debian.org/security/2018/dsa-4165 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •