CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-9102 – phpLDAPadmin: Improper Neutralization of Formula Elements
https://notcve.org/view.php?id=CVE-2024-9102
phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Thus, this could lead to CSV Formula Injection. • https://github.com/leenooks/phpLDAPadmin/commit/ea17aadef46fd29850160987fe7740ceed1381ad#diff-93b9f3e6d4c5bdacf469ea0ec74c1e9217ca6272da9be5a1bfd711f7da16f9e3R240 https://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.0 https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 2.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-9101 – phpLDAPadmin: Reflected Cross-Site Scripting in entry_chooser.php
https://notcve.org/view.php?id=CVE-2024-9101
A reflected cross-site scripting (XSS) vulnerability in the 'Entry Chooser' of phpLDAPadmin (version 1.2.1 through the latest version, 1.2.6.7) allows attackers to execute arbitrary JavaScript in the user's browser via the 'element' parameter, which is unsafely passed to the JavaScript 'eval' function. However, exploitation is limited to specific conditions where 'opener' is correctly set. • https://github.com/leenooks/phpLDAPadmin/blob/master/htdocs/entry_chooser.php https://github.com/leenooks/phpLDAPadmin/commit/f713afc8d164169516c91b0988531f2accb9bce6#diff-c2d6d7678ada004e704ee055169395a58227aaec86a6f75fa74ca18ff49bca44R27 https://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.1 https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 1CVE-2020-35132
https://notcve.org/view.php?id=CVE-2020-35132
An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 that allows users to store malicious values that may be executed by other users at a later time via get_request in lib/function.php. Se detectó un problema de tipo XSS en phpLDAPadmin versiones anteriores a 1.2.6.2, que permite a usuarios almacenar valores maliciosos que pueden ser ejecutados por otros usuarios en un momento posterior por medio de la función get_request en la biblioteca lib/function.php • https://bugs.launchpad.net/ubuntu/+source/phpldapadmin/+bug/1906474 https://github.com/leenooks/phpLDAPadmin/commit/c87571f6b7be15d5cd8b26381b6eb31ad03d28e2 https://github.com/leenooks/phpLDAPadmin/compare/1.2.5...1.2.6.2 https://github.com/leenooks/phpLDAPadmin/issues/130 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XA42XDSUPCOXL5ZCP5RGD3FD4JQQWNX https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6PZH3EY2T66N2MGOA7DWCAIVYIJH4BC • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2017-11107
https://notcve.org/view.php?id=CVE-2017-11107
phpLDAPadmin through 1.2.3 has XSS in htdocs/entry_chooser.php via the form, element, rdn, or container parameter. phpLDAPadmin hasta versión 1.2.3 presenta una vulnerabilidad de tipo cross-site scripting XSS en el archivo htdocs/entry_chooser.php por medio de los parámetros form, element, rdn o container. • https://bugs.launchpad.net/ubuntu/+source/phpldapadmin/+bug/1701731 https://github.com/leenooks/phpLDAPadmin/issues/50 https://lists.debian.org/debian-lts-announce/2018/10/msg00023.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2012-0834 – phpLDAPadmin 1.2.2 - 'base' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-0834
Cross-site scripting (XSS) vulnerability in lib/QueryRender.php in phpLDAPadmin 1.2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the base parameter in a query_engine action to cmd.php. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en lib/QueryRender.php en phpLDAPadmin v1.2.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro base en una acción query_engin sobre cmd.php • https://www.exploit-db.com/exploits/36654 http://openwall.com/lists/oss-security/2012/02/02/9 http://openwall.com/lists/oss-security/2012/02/03/3 http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin%3Ba=commit%3Bh=7dc8d57d6952fe681cb9e8818df7f103220457bd http://secunia.com/advisories/47852 http://www.mandriva.com/security/advisories?name=MDVSA-2012:020 https://sourceforge.net/tracker/index.php?func=detail&aid=3477910&group_id=61828&atid=498546 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •