CVE-2024-9101: phpLDAPadmin: Reflected Cross-Site Scripting in entry_chooser.php

2.1 CVSS

Description

A reflected cross-site scripting (XSS) vulnerability in the 'Entry Chooser' of phpLDAPadmin (version 1.2.1 through the latest version, 1.2.6.7) allows attackers to execute arbitrary JavaScript in the user's browser via the 'element' parameter, which is unsafely passed to the JavaScript 'eval' function. However, exploitation is limited to specific conditions where 'opener' is correctly set.

Classification

CVE ID: CVE-2024-9101

CVSS Base Severity: LOW

CVSS Base Score: 2.1

Affected Products

Vendor: phpLDAPadmin

Product: phpLDAPadmin

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.81% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin/
https://github.com/leenooks/phpLDAPadmin/commit/f713afc8d164169516c91b0988531f2accb9bce6#diff-c2d6d7678ada004e704ee055169395a58227aaec86a6f75fa74ca18ff49bca44R27
https://github.com/leenooks/phpLDAPadmin/blob/master/htdocs/entry_chooser.php
https://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.1/

Timeline

2024-12-21 00:30:43 UTC
CVE

phpLDAPadmin: Reflected Cross-Site Scripting in entry_chooser.php