Source: phpldapadmin Version: 1.2.6.7-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.2.6.3-0.3+deb12u1 Control: found -1 1.2.6.3-0.3
Hi, The following vulnerabilities were published for phpldapadmin. CVE-2024-9101[0]: | A reflected cross-site scripting (XSS) vulnerability in the 'Entry | Chooser' of phpLDAPadmin (version 1.2.1 through the latest version, | 1.2.6.7) allows attackers to execute arbitrary JavaScript in the | user's browser via the 'element' parameter, which is unsafely passed | to the JavaScript 'eval' function. However, exploitation is limited | to specific conditions where 'opener' is correctly set. CVE-2024-9102[1]: | phpLDAPadmin since at least version 1.2.0 through the latest version | 1.2.6.7 allows users to export elements from the LDAP directory into | a Comma-Separated Value (CSV) file, but it does not neutralize | special elements that could be interpreted as a command when the | file is opened by a spreadsheet product. Thus, this could lead to | CSV Formula Injection. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-9101 https://www.cve.org/CVERecord?id=CVE-2024-9101 [1] https://security-tracker.debian.org/tracker/CVE-2024-9102 https://www.cve.org/CVERecord?id=CVE-2024-9102 [2] https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
