CVE-2024-9102

MEDIUM

phpLDAPadmin <1.2.6.7 - CSV Formula Injection

Title source: llm

Description

phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Thus, this could lead to CSV Formula Injection. NOTE: This vulnerability will not be addressed, the maintainer's position is that it is not the intention of phpLDAPadmin to control what data Administrators can put in their LDAP database, nor filter it on export.

References (4)

[Product] https://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.0

[Patch] https://github.com/leenooks/phpLDAPadmin/commit/ea17aadef46fd29850160987fe7740ceed1381ad#diff-93b9f3e6d4c5bdacf469ea0ec74c1e9217ca6272da9be5a1bfd711f7da16f9e3R240

View Patch ZIP pw:eip

[Issue Tracking] https://github.com/leenooks/phpLDAPadmin/issues/274#issuecomment-2586859072

[Various Sources] https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin/

Scores

CVSS v4 5.0

EPSS 0.0014

EPSS Percentile 34.4%

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1236

Status published

Products (2)

phpLDAPadmin/phpLDAPadmin 1.2.0

phpLDAPadmin/phpLDAPadmin 1.2.6.7

Published Dec 19, 2024

Tracked Since Feb 18, 2026