2333323 – (CVE-2024-9101) CVE-2024-9101 phpldapadmin: phpLDAPadmin: Reflected Cross-Site Scripting in entry_chooser.php

Bug 2333323 (CVE-2024-9101) - CVE-2024-9101 phpldapadmin: phpLDAPadmin: Reflected Cross-Site Scripting in entry_chooser.php [NEEDINFO]

Summary: CVE-2024-9101 phpldapadmin: phpLDAPadmin: Reflected Cross-Site Scripting in e...

Keywords:
Status:	NEW
Alias:	CVE-2024-9101
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2333339 2333340 2333342 2333341
Blocks:
TreeView+	depends on / blocked

Reported:	2024-12-19 14:01 UTC by OSIDB Bzimport
Modified:	2024-12-20 23:50 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:
Flags:	dmitry: needinfo? (bzimport)

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-12-19 14:01:03 UTC

A reflected cross-site scripting (XSS) vulnerability in the 'Entry Chooser' of phpLDAPadmin (version 1.2.1 through the latest version, 1.2.6.7) allows attackers to execute arbitrary JavaScript in the user's browser via the 'element' parameter, which is unsafely passed to the JavaScript 'eval' function. However, exploitation is limited to specific conditions where 'opener' is correctly set.

Comment 2 Dmitry Butskoy 2024-12-20 23:50:45 UTC

Unfortunately it seems that upstream is stalled.

See https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin/ for more info, as well as upstream itself at https://github.com/leenooks/phpLDAPadmin .

It would be fine if someone with good experience in PHP could help with providing a patch. (Note: still no such a patch in Debian too).

Note You need to log in before you can comment on or make changes to this bug.