phpldapadmin: cross-site scripting
| Package(s): | phpldapadmin | CVE #(s): | CVE-2012-1114 CVE-2012-1115 | ||||||||
| Created: | October 8, 2012 | Updated: | October 10, 2012 | ||||||||
| Description: | From the Red Hat bugzilla:
Originally (2012-03-01), the following cross-site (XSS) flaws were reported against LDAP Account Manager Pro (from Secunia advisory): * 1) Input passed to e.g. the "filteruid" POST parameter when filtering result sets in lam/templates/lists/list.php (when "type" is set to a valid value) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. * 2) Input passed to the "filter" POST parameter in lam/templates/3rdParty/pla/htdocs/cmd.php (when "cmd" is set to "export" and "exporter_id" is set to "LDIF") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. * 3) Input passed to the "attr" parameter in lam/templates/3rdParty/pla/htdocs/cmd.php (when "cmd" is set to "add_value_form" and "dn" is set to a valid value) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. | ||||||||||
| Alerts: |
| ||||||||||