CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-9102 – phpLDAPadmin: Improper Neutralization of Formula Elements
https://notcve.org/view.php?id=CVE-2024-9102
phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Thus, this could lead to CSV Formula Injection. • https://github.com/leenooks/phpLDAPadmin/commit/ea17aadef46fd29850160987fe7740ceed1381ad#diff-93b9f3e6d4c5bdacf469ea0ec74c1e9217ca6272da9be5a1bfd711f7da16f9e3R240 https://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.0 https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 2.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-9101 – phpLDAPadmin: Reflected Cross-Site Scripting in entry_chooser.php
https://notcve.org/view.php?id=CVE-2024-9101
A reflected cross-site scripting (XSS) vulnerability in the 'Entry Chooser' of phpLDAPadmin (version 1.2.1 through the latest version, 1.2.6.7) allows attackers to execute arbitrary JavaScript in the user's browser via the 'element' parameter, which is unsafely passed to the JavaScript 'eval' function. However, exploitation is limited to specific conditions where 'opener' is correctly set. • https://github.com/leenooks/phpLDAPadmin/blob/master/htdocs/entry_chooser.php https://github.com/leenooks/phpLDAPadmin/commit/f713afc8d164169516c91b0988531f2accb9bce6#diff-c2d6d7678ada004e704ee055169395a58227aaec86a6f75fa74ca18ff49bca44R27 https://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.1 https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 1CVE-2020-35132
https://notcve.org/view.php?id=CVE-2020-35132
An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 that allows users to store malicious values that may be executed by other users at a later time via get_request in lib/function.php. Se detectó un problema de tipo XSS en phpLDAPadmin versiones anteriores a 1.2.6.2, que permite a usuarios almacenar valores maliciosos que pueden ser ejecutados por otros usuarios en un momento posterior por medio de la función get_request en la biblioteca lib/function.php • https://bugs.launchpad.net/ubuntu/+source/phpldapadmin/+bug/1906474 https://github.com/leenooks/phpLDAPadmin/commit/c87571f6b7be15d5cd8b26381b6eb31ad03d28e2 https://github.com/leenooks/phpLDAPadmin/compare/1.2.5...1.2.6.2 https://github.com/leenooks/phpLDAPadmin/issues/130 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XA42XDSUPCOXL5ZCP5RGD3FD4JQQWNX https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6PZH3EY2T66N2MGOA7DWCAIVYIJH4BC • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2011-4082
https://notcve.org/view.php?id=CVE-2011-4082
A local file inclusion flaw was found in the way the phpLDAPadmin before 0.9.8 processed certain values of the "Accept-Language" HTTP header. A remote attacker could use this flaw to cause a denial of service via specially-crafted request. Se encontró un fallo de inclusión de archivo local en la manera en que phpLDAPadmin versiones anteriores a 0.9.8 procesó determinados valores del encabezado HTTP "Accept-Language". Un atacante remoto podría usar este fallo para causar una denegación de servicio por medio de una petición especialmente diseñada. • https://access.redhat.com/security/cve/cve-2011-4082 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4082 https://security-tracker.debian.org/tracker/CVE-2011-4082 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 5%CPEs: 1EXPL: 1CVE-2018-12689
https://notcve.org/view.php?id=CVE-2018-12689
phpLDAPadmin 1.2.2 allows LDAP injection via a crafted server_id parameter in a cmd.php?cmd=login_form request, or a crafted username and password in the login panel. phpLDAPadmin 1.2.2 permite la inyección LDAP mediante un parámetro server_id en una petición cmd.php?cmd=login_form o un nombre de usuario y contraseña manipulados en el panel de inicio de sesión. • https://www.exploit-db.com/exploits/44926 •