CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-9102 – phpLDAPadmin: Improper Neutralization of Formula Elements
https://notcve.org/view.php?id=CVE-2024-9102
phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Thus, this could lead to CSV Formula Injection. • https://github.com/leenooks/phpLDAPadmin/commit/ea17aadef46fd29850160987fe7740ceed1381ad#diff-93b9f3e6d4c5bdacf469ea0ec74c1e9217ca6272da9be5a1bfd711f7da16f9e3R240 https://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.0 https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 2.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-9101 – phpLDAPadmin: Reflected Cross-Site Scripting in entry_chooser.php
https://notcve.org/view.php?id=CVE-2024-9101
A reflected cross-site scripting (XSS) vulnerability in the 'Entry Chooser' of phpLDAPadmin (version 1.2.1 through the latest version, 1.2.6.7) allows attackers to execute arbitrary JavaScript in the user's browser via the 'element' parameter, which is unsafely passed to the JavaScript 'eval' function. However, exploitation is limited to specific conditions where 'opener' is correctly set. • https://github.com/leenooks/phpLDAPadmin/blob/master/htdocs/entry_chooser.php https://github.com/leenooks/phpLDAPadmin/commit/f713afc8d164169516c91b0988531f2accb9bce6#diff-c2d6d7678ada004e704ee055169395a58227aaec86a6f75fa74ca18ff49bca44R27 https://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.1 https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •