CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-31085 – Missing Encryption of Sensitive Data in ldap-account-manager
https://notcve.org/view.php?id=CVE-2022-31085
27 Jun 2022 — LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the session files include the LDAP user name and password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled by configuration. This issue has been fixed in version 8.0. Users unable to upgrade should install the PHP OpenSSL extension and make sure session encryption is enabled in LAM main configuration. LDAP Account Mana... • https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4 • CWE-311: Missing Encryption of Sensitive Data CWE-522: Insufficiently Protected Credentials •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2022-31084 – Unauthenticated Remote Code Execution in ldap-account-manager
https://notcve.org/view.php?id=CVE-2022-31084
27 Jun 2022 — LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 There are cases where LAM instantiates objects from arbitrary classes. An attacker can inject the first constructor argument. This can lead to code execution if non-LAM classes are instantiated that execute code during object creation. This issue has been fixed in version 8.0. • https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-31086 – Incorrect Regular Expressions in ldap-account-manager
https://notcve.org/view.php?id=CVE-2022-31086
27 Jun 2022 — LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the /config/templates/pdf/ directory is accessible for remote users. This is not a default configuration of LAM. This issue has been fixed in version 8.0. • https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-31087 – Incorrect Default Permissions in ldap-account-manager
https://notcve.org/view.php?id=CVE-2022-31087
27 Jun 2022 — LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the tmp directory, which is accessible by /lam/tmp/, allows interpretation of .php (and .php5/.php4/.phpt/etc) files. An attacker capable of writing files under www-data privileges can write a web-shell into this directory, and gain a Code Execution on the host. This issue has been fixed in version 8.0. Users unable to upgrade should disallow executing PH... • https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-31088 – Unauthenticated LDAP Injection in ldap-account-manager
https://notcve.org/view.php?id=CVE-2022-31088
27 Jun 2022 — LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the user name field at login could be used to enumerate LDAP data. This is only the case for LDAP search configuration. This issue has been fixed in version 8.0. LDAP Account Manager (LAM) es una interfaz web para administrar entradas (por ejemplo, usuarios, grupos, configuraciones DHCP) almacenadas en un directorio LDAP. • https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 1CVE-2022-24851 – Stored XSS and path traversal in LDAPAccountManager/lam
https://notcve.org/view.php?id=CVE-2022-24851
15 Apr 2022 — LDAP Account Manager (LAM) is an open source web frontend for managing entries stored in an LDAP directory. The profile editor tool has an edit profile functionality, the parameters on this page are not properly sanitized and hence leads to stored XSS attacks. An authenticated user can store XSS payloads in the profiles, which gets triggered when any other user try to access the edit profile page. The pdf editor tool has an edit pdf profile functionality, the logoFile parameter in it is not properly sanitiz... • https://github.com/LDAPAccountManager/lam/commit/3c6f09a3579e048e224eb5a4c4e3eefaa8bccd49 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2012-1115
https://notcve.org/view.php?id=CVE-2012-1115
05 Dec 2019 — A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php. Se presenta una vulnerabilidad de tipo Cross-Site Scripting (XSS) en LDAP Account Manager (LAM) Pro versión 3.6, en los parámetros export, add_value_form y dn en el archivo cmd.php. • http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089297.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2012-1114
https://notcve.org/view.php?id=CVE-2012-1114
05 Dec 2019 — A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php. Se presenta una vulnerabilidad de tipo Cross-Site Scripting (XSS) en LDAP Account Manager (LAM) Pro versión 3.6, en el parámetro filter en el archivo cmd.php en una acción export y exporter_id y el parámetro filteruid en el archivo list.php. • http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089297.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 3CVE-2018-8764 – Debian Security Advisory 4165-1
https://notcve.org/view.php?id=CVE-2018-8764
22 Mar 2018 — Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 places a CSRF token in the sec_token parameter of a URI, which makes it easier for remote attackers to defeat a CSRF protection mechanism by leveraging logging. Roland Gruber Softwareentwicklung LDAP Account Manager en versiones anteriores a la 6.3 coloca un token CSRF en el parámetro sec_token de un URI. Esto facilita a los atacantes remotos acabar con los mecanismos de protección ante CSRF aprovechando el inicio de sesión. Michal Kedzior fo... • https://packetstorm.news/files/id/146858 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 3CVE-2018-8763 – Debian Security Advisory 4165-1
https://notcve.org/view.php?id=CVE-2018-8763
22 Mar 2018 — Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 has XSS via the dn parameter to the templates/3rdParty/pla/htdocs/cmd.php URI or the template parameter to the templates/3rdParty/pla/htdocs/cmd.php?cmd=rename_form URI. Roland Gruber Softwareentwicklung LDAP Account Manager, en versiones anteriores a la 6.3, contiene Cross-Site Scripting (XSS) mediante el parámetro dn en el URI templates/3rdParty/pla/htdocs/cmd.php o el parámetro template en el URI templates/3rdParty/pla/htdocs/cmd.php?cmd=r... • https://packetstorm.news/files/id/146858 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •