Bug 2333323 (CVE-2024-9101)

Summary: CVE-2024-9101 phpldapadmin: phpLDAPadmin: Reflected Cross-Site Scripting in entry_chooser.php
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dmitry
Target Milestone: ---Keywords: Security
Target Release: ---Flags: dmitry: needinfo? (bzimport)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2333339, 2333340, 2333342, 2333341    
Bug Blocks:    

Description OSIDB Bzimport 2024-12-19 14:01:03 UTC 
A reflected cross-site scripting (XSS) vulnerability in the 'Entry Chooser' of phpLDAPadmin (version 1.2.1 through the latest version, 1.2.6.7) allows attackers to execute arbitrary JavaScript in the user's browser via the 'element' parameter, which is unsafely passed to the JavaScript 'eval' function. However, exploitation is limited to specific conditions where 'opener' is correctly set.
Comment 2 Dmitry Butskoy 2024-12-20 23:50:45 UTC 
Unfortunately it seems that upstream is stalled.

See https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin/ for more info, as well as upstream itself at https://github.com/leenooks/phpLDAPadmin .

It would be fine if someone with good experience in PHP could help with providing a patch. (Note: still no such a patch in Debian too).