Fluid Attacks Database

Description

LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM before 9.3 allows stored cross-site scripting in the Profile section via the profile name field, which renders untrusted input as HTML and executes a supplied script (for example a script element). An authenticated user with permission to create or edit a profile can insert a script payload into the profile name and have it executed when the profile data is viewed in a browser. This issue is fixed in version 9.3. No known workarounds are mentioned.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 13	ldap-account-manager	=9.0-1 \|\| =9.5.1-1
debian 11	ldap-account-manager	=7.4-1 \|\| =7.5-1 \|\| =7.7-1 \|\| =7.9-1 \|\| =7.9.1-1 \|\| =8.0.1-0+deb11u1 \|\| =8.0.1-1 \|\| =8.0.1-1.1 \|\| =8.1-1 \|\| =8.2-1 \|\| =8.3-1 \|\| =8.5-1 \|\| =8.6-1 \|\| =8.7-1 \|\| =9.0-1 \|\| =9.5.1-1
debian 12	ldap-account-manager	=8.3-1 \|\| =8.5-1 \|\| =8.6-1 \|\| =8.7-1 \|\| =9.0-1 \|\| =9.5.1-1

Aliases

1. CVE-2025-581742. NVD-2025-581743. OSV-DEBIAN-2025-581744. OSV-2025-581745. SECURITY-TRACKER-CVE-2025-58174