Vulnerabilities (CVE)

  1. OpenCVE
  2. Vulnerabilities (CVE)
Filtered by vendor Ldap-account-manager Subscribe
Filtered by product Ldap Account Manager

CVSS v3 Filter

ALL
NONE (0.0) LOW (0.1 - 3.9) MEDIUM (4.0 - 6.9) HIGH (7.0 - 8.9) CRITICAL (9.0 - 10.0)

Search

Total 4 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-31084 2 Debian, Ldap-account-manager 2 Debian Linux, Ldap Account Manager 2022-07-18 6.8 MEDIUM 8.1 HIGH
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 There are cases where LAM instantiates objects from arbitrary classes. An attacker can inject the first constructor argument. This can lead to code execution if non-LAM classes are instantiated that execute code during object creation. This issue has been fixed in version 8.0.
CVE-2022-31087 2 Debian, Ldap-account-manager 2 Debian Linux, Ldap Account Manager 2022-07-07 7.2 HIGH 7.8 HIGH
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the tmp directory, which is accessible by /lam/tmp/, allows interpretation of .php (and .php5/.php4/.phpt/etc) files. An attacker capable of writing files under www-data privileges can write a web-shell into this directory, and gain a Code Execution on the host. This issue has been fixed in version 8.0. Users unable to upgrade should disallow executing PHP scripts in (/var/lib/ldap-account-manager/)tmp directory.
CVE-2022-31086 2 Debian, Ldap-account-manager 2 Debian Linux, Ldap Account Manager 2022-07-07 6.0 MEDIUM 8.8 HIGH
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the /config/templates/pdf/ directory is accessible for remote users. This is not a default configuration of LAM. This issue has been fixed in version 8.0. There are no known workarounds for this issue.
CVE-2018-8764 2 Debian, Ldap-account-manager 2 Debian Linux, Ldap Account Manager 2018-04-20 6.8 MEDIUM 8.8 HIGH
Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 places a CSRF token in the sec_token parameter of a URI, which makes it easier for remote attackers to defeat a CSRF protection mechanism by leveraging logging.