CVE-2024-9101

LOW

phpLDAPadmin 1.2.1-1.2.6.7 - Reflected Cross-Site Scripting via Entry Chooser Element Parameter

Title source: llm

Description

A reflected cross-site scripting (XSS) vulnerability in the 'Entry Chooser' of phpLDAPadmin (version 1.2.1 through the latest version, 1.2.6.7) allows attackers to execute arbitrary JavaScript in the user's browser via the 'element' parameter, which is unsafely passed to the JavaScript 'eval' function. However, exploitation is limited to specific conditions where 'opener' is correctly set.

References (4)

Core 4

Core References

Product

https://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.1/

Various Sources

https://github.com/leenooks/phpLDAPadmin/blob/master/htdocs/entry_chooser.php

Patch

https://github.com/leenooks/phpLDAPadmin/commit/f713afc8d164169516c91b0988531f2accb9bce6#diff-c2d6d7678ada004e704ee055169395a58227aaec86a6f75fa74ca18ff49bca44R27

View Patch ZIP pw:eip

Various Sources third-party-advisory

https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin/

Scores

CVSS v4 2.1

EPSS 0.0047

EPSS Percentile 36.9%

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-79

Status published

Products (2)

phpLDAPadmin/phpLDAPadmin 1.2.1

phpLDAPadmin/phpLDAPadmin 1.2.6.7

Published Dec 19, 2024

Tracked Since Feb 18, 2026