CVE-2024-9101 Information
Description
A reflected cross-site scripting (XSS) vulnerability in the ‘Entry Chooser’ of phpLDAPadmin (version 1.2.1 through the latest version 1.2.6.7) allows attackers to execute arbitrary JavaScript in the user’s browser via the ’element’ parameter which is unsafely passed to the JavaScript ’eval’ function. However exploitation is limited to specific conditions where ‘opener’ is correctly set.
Reference
https://github.com/leenooks/phpLDAPadmin/blob/master/htdocs/entry_chooser.php https://github.com/leenooks/phpLDAPadmin/commit/f713afc8d164169516c91b0988531f2accb9bce6#diff-c2d6d7678ada004e704ee055169395a58227aaec86a6f75fa74ca18ff49bca44R27 https://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.1/ https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin/
Share on: