CVE-2024-9101 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-9101

CVE-2024-9101

December 19, 2024

A reflected cross-site scripting (XSS) vulnerability in the 'Entry Chooser' of phpLDAPadmin (version 1.2.1 through the latest version, 1.2.6.7) allows attackers to execute arbitrary JavaScript in the user's browser via the 'element' parameter, which is unsafely passed to the JavaScript 'eval' function. However, exploitation is limited to specific conditions where 'opener' is correctly set.

Related Resources (4)

https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin/

https://github.com/leenooks/phpLDAPadmin/blob/master/htdocs/entry_chooser.php

https://github.com/leenooks/phpLDAPadmin/commit/f713afc8d164169516c91b0988531f2accb9bce6#diff-c2d6d7678ada004e704ee055169395a58227aaec86a6f75fa74ca18ff49bca44R27

https://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.1/

Do you need more information?

CVSS v4

Base Score:

2.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Attack Requirements

PRESENT

Privileges Required

NONE

User Interaction

ACTIVE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

LOW

Subsequent System Confidentiality

LOW

Subsequent System Integrity

LOW

Subsequent System Availability

LOW

CVSS v3

Base Score:

4.5

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

EPSS

Base Score:

0.30

Products

Solutions

Resources

Company

Compare

Developer Tools