CVE-2025-58174
MEDIUMLDAP Account Manager < 9.3 - Authenticated Stored Cross-Site Scripting via Profile Name Field
Title source: llmDescription
LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM before 9.3 allows stored cross-site scripting in the Profile section via the profile name field, which renders untrusted input as HTML and executes a supplied script (for example a script element). An authenticated user with permission to create or edit a profile can insert a script payload into the profile name and have it executed when the profile data is viewed in a browser. This issue is fixed in version 9.3. No known workarounds are mentioned.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-6gqg-wm9x-5x3m
Scores
CVSS v3
4.6
EPSS
0.0016
EPSS Percentile
5.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
LDAPAccountManager/lam
< 9.3
Published
Sep 16, 2025
Tracked Since
Feb 18, 2026