Fluid Attacks Database

Description

phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Thus, this could lead to CSV Formula Injection. NOTE: This vulnerability will not be addressed, the maintainer's position is that it is not the intention of phpLDAPadmin to control what data Administrators can put in their LDAP database, nor filter it on export.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 14	phpldapadmin	=1.2.6.7-4
debian 13	phpldapadmin	=1.2.6.7-4
debian 12	phpldapadmin	=1.2.6.3-0.3 \|\| =1.2.6.3-0.3+deb12u1 \|\| =1.2.6.6-1 \|\| =1.2.6.6-2 \|\| =1.2.6.7-1 \|\| =1.2.6.7-2 \|\| =1.2.6.7-2~bpo12+1 \|\| =1.2.6.7-3 \|\| =1.2.6.7-3~bpo12+1 \|\| =1.2.6.7-4

Aliases

1. CVE-2024-91022. NVD-2024-91023. OSV-DEBIAN-2024-91024. OSV-2024-91025. SECURITY-TRACKER-CVE-2024-9102

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.