CVE-2024-9101

Publication date 20 December 2024

Last updated 20 December 2024

Ubuntu priority

A reflected cross-site scripting (XSS) vulnerability in the 'Entry Chooser' of phpLDAPadmin (version 1.2.1 through the latest version, 1.2.6.7) allows attackers to execute arbitrary JavaScript in the user's browser via the 'element' parameter, which is unsafely passed to the JavaScript 'eval' function. However, exploitation is limited to specific conditions where 'opener' is correctly set.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
phpldapadmin	24.10 oracular	Needs evaluation
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Needs evaluation
	20.04 LTS focal	Needs evaluation
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2024-9101
https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin/
https://github.com/leenooks/phpLDAPadmin/blob/master/htdocs/entry_chooser.php
https://github.com/leenooks/phpLDAPadmin/commit/f713afc8d164169516c91b0988531f2accb9bce6#diff-c2d6d7678ada004e704ee055169395a58227aaec86a6f75fa74ca18ff49bca44R27
https://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.1/