Multiple vulnerabilities in LDAP Account Manager
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2012-1114 CVE-2012-1115 |
| CWE-ID | CWE-79 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
LDAP Account Manager Server applications / Remote management servers, RDP, SSH Debian Linux Operating systems & Components / Operating system Fedora Operating systems & Components / Operating system |
| Vendor |
LDAP Account Manager Debian Fedoraproject |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Cross-site scripting
EUVDB-ID: #VU35001
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2012-1114
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
MitigationInstall update from vendor's website.
Vulnerable software versionsLDAP Account Manager: 3.6
Debian Linux: 3.6 - 9.0
Fedora: 3.6 - 18
CPE2.3- cpe:2.3:a:ldap_account_manager:ldap_account_manager:3.6:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:3.6:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:3.6:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:16:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:*
https://lists.fedoraproject.org/pipermail/package-announce/2012-October/089297.html
https://lists.fedoraproject.org/pipermail/package-announce/2012-October/089313.html
https://lists.fedoraproject.org/pipermail/package-announce/2012-October/089328.html
https://www.openwall.com/lists/oss-security/2012/03/05/24
https://www.openwall.com/lists/oss-security/2012/03/12/1
https://www.openwall.com/lists/oss-security/2012/03/12/10
https://www.securityfocus.com/bid/52255
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1114
https://exchange.xforce.ibmcloud.com/vulnerabilities/73971
https://security-tracker.debian.org/tracker/CVE-2012-1114
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site scripting
EUVDB-ID: #VU35002
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2012-1115
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.
MitigationInstall update from vendor's website.
Vulnerable software versionsLDAP Account Manager: 3.6
Debian Linux: 3.6 - 9.0
Fedora: 3.6 - 18
CPE2.3- cpe:2.3:a:ldap_account_manager:ldap_account_manager:3.6:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:3.6:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:3.6:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:16:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:*
https://lists.fedoraproject.org/pipermail/package-announce/2012-October/089297.html
https://lists.fedoraproject.org/pipermail/package-announce/2012-October/089313.html
https://lists.fedoraproject.org/pipermail/package-announce/2012-October/089328.html
https://www.openwall.com/lists/oss-security/2012/03/05/24
https://www.openwall.com/lists/oss-security/2012/03/12/1
https://www.openwall.com/lists/oss-security/2012/03/12/10
https://www.securityfocus.com/bid/52255
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1115
https://exchange.xforce.ibmcloud.com/vulnerabilities/73971
https://exchange.xforce.ibmcloud.com/vulnerabilities/74357
https://security-tracker.debian.org/tracker/CVE-2012-1115
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
