CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 1CVE-2022-24851 – Stored XSS and path traversal in LDAPAccountManager/lam
https://notcve.org/view.php?id=CVE-2022-24851
LDAP Account Manager (LAM) is an open source web frontend for managing entries stored in an LDAP directory. The profile editor tool has an edit profile functionality, the parameters on this page are not properly sanitized and hence leads to stored XSS attacks. An authenticated user can store XSS payloads in the profiles, which gets triggered when any other user try to access the edit profile page. The pdf editor tool has an edit pdf profile functionality, the logoFile parameter in it is not properly sanitized and an user can enter relative paths like ../../../../../../../../../../../../../usr/share/icons/hicolor/48x48/apps/gvim.png via tools like burpsuite. • https://github.com/LDAPAccountManager/lam/commit/3c6f09a3579e048e224eb5a4c4e3eefaa8bccd49 https://github.com/LDAPAccountManager/lam/issues/170 https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-f2fr-cccr-583v https://www.debian.org/security/2022/dsa-5177 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 2CVE-2018-8763 – LDAP Account Manager 6.2 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-8763
Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 has XSS via the dn parameter to the templates/3rdParty/pla/htdocs/cmd.php URI or the template parameter to the templates/3rdParty/pla/htdocs/cmd.php?cmd=rename_form URI. Roland Gruber Softwareentwicklung LDAP Account Manager, en versiones anteriores a la 6.3, contiene Cross-Site Scripting (XSS) mediante el parámetro dn en el URI templates/3rdParty/pla/htdocs/cmd.php o el parámetro template en el URI templates/3rdParty/pla/htdocs/cmd.php?cmd=rename_form. LDAP Account Manager version 6.2 suffers from cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/146858/LDAP-Account-Manager-6.2-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2018/Mar/45 https://lists.debian.org/debian-lts-announce/2018/04/msg00007.html https://www.debian.org/security/2018/dsa-4165 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 2CVE-2018-8764 – LDAP Account Manager 6.2 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-8764
Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 places a CSRF token in the sec_token parameter of a URI, which makes it easier for remote attackers to defeat a CSRF protection mechanism by leveraging logging. Roland Gruber Softwareentwicklung LDAP Account Manager en versiones anteriores a la 6.3 coloca un token CSRF en el parámetro sec_token de un URI. Esto facilita a los atacantes remotos acabar con los mecanismos de protección ante CSRF aprovechando el inicio de sesión. LDAP Account Manager version 6.2 suffers from cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/146858/LDAP-Account-Manager-6.2-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2018/Mar/45 https://www.debian.org/security/2018/dsa-4165 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2013-4453
https://notcve.org/view.php?id=CVE-2013-4453
Cross-site scripting (XSS) vulnerability in templates/login.php in LDAP Account Manager (LAM) 4.3 and 4.2.1 allows remote attackers to inject arbitrary web script or HTML via the language parameter. Vulnerabilidad cross-site scripting (XSS) en templates/login.php en el LDAP Account Manager (LAM) 4.3 y 4.2.1 que permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro de idioma. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726976 http://osvdb.org/98828 http://seclists.org/oss-sec/2013/q4/149 http://secunia.com/advisories/55413 http://sourceforge.net/p/lam/bugs/156 http://www.rusty-ice.de/advisory/advisory_2013001.txt https://exchange.xforce.ibmcloud.com/vulnerabilities/88203 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •