#VU35001 Cross-site scripting in Fedoraproject products - CVE-2012-1114
Vulnerability identifier: #VU35001
Vulnerability risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-79
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
LDAP Account Manager
Server applications /
Remote management servers, RDP, SSH
Debian Linux
Operating systems & Components /
Operating system
Fedora
Operating systems & Components /
Operating system
Vendor:
LDAP Account Manager
Debian
Fedoraproject
Description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
Mitigation
Install update from vendor's website.
Vulnerable software versions
LDAP Account Manager: 3.6
Debian Linux: 3.6 - 9.0
Fedora: 3.6 - 18
External links
https://lists.fedoraproject.org/pipermail/package-announce/2012-October/089297.html
https://lists.fedoraproject.org/pipermail/package-announce/2012-October/089313.html
https://lists.fedoraproject.org/pipermail/package-announce/2012-October/089328.html
https://www.openwall.com/lists/oss-security/2012/03/05/24
https://www.openwall.com/lists/oss-security/2012/03/12/1
https://www.openwall.com/lists/oss-security/2012/03/12/10
https://www.securityfocus.com/bid/52255
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1114
https://exchange.xforce.ibmcloud.com/vulnerabilities/73971
https://security-tracker.debian.org/tracker/CVE-2012-1114
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
