Fluid Attacks Database

Description

A reflected cross-site scripting (XSS) vulnerability in the 'Entry Chooser' of phpLDAPadmin (version 1.2.1 through the latest version, 1.2.6.7) allows attackers to execute arbitrary JavaScript in the user's browser via the 'element' parameter, which is unsafely passed to the JavaScript 'eval' function. However, exploitation is limited to specific conditions where 'opener' is correctly set.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	phpldapadmin	=1.2.6.3-0.3 \|\| =1.2.6.3-0.3+deb12u1 \|\| =1.2.6.6-1 \|\| =1.2.6.6-2 \|\| =1.2.6.7-1 \|\| =1.2.6.7-2 \|\| =1.2.6.7-2~bpo12+1 \|\| =1.2.6.7-3 \|\| =1.2.6.7-3~bpo12+1 \|\| =1.2.6.7-4	-
debian 13	phpldapadmin	>=0 <1.2.6.7-4	1.2.6.7-4
debian 14	phpldapadmin	>=0 <1.2.6.7-4	1.2.6.7-4

Aliases

1. CVE-2024-91012. NVD-2024-91013. OSV-DEBIAN-2024-91014. OSV-2024-91015. SECURITY-TRACKER-CVE-2024-9101

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.