Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-31085

Good to know:

icon

Date: June 27, 2022

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the session files include the LDAP user name and password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled by configuration. This issue has been fixed in version 8.0. Users unable to upgrade should install the PHP OpenSSL extension and make sure session encryption is enabled in LAM main configuration.

Language: PHP

Severity Score

Related Resources (6)

https://nvd.nist.gov/vuln/detail/CVE-2022-31085
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-6m3q-5c84-6h6j
https://github.com/LDAPAccountManager/lam/commit/f1d5d04952f39a1b4ea203d3964fa88e1429dfd4
https://security-tracker.debian.org/tracker/CVE-2022-31085
https://www.debian.org/security/2022/dsa-5177
https://www.mend.io/vulnerability-database/CVE-2022-31085

Severity Score

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Insufficiently Protected Credentials

CWE-522

Missing Encryption of Sensitive Data

CWE-311

Top Fix

icon

Upgrade Version

Upgrade to version lam_8_0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us