CVE-2024-9101

Vulnerability

Description

CVE-2024-9101 describes a reflected cross-site scripting (XSS) vulnerability in the Entry Chooser component of phpLDAPadmin (versions 1.2.1 through 1.2.6.7). The root cause is that the element request parameter is unsafely passed to the JavaScript eval() function inside entry_chooser.php, allowing an attacker to inject and execute arbitrary JavaScript in the victim's browser [2]. No authentication is required to trigger this, as the Entry Chooser is accessible without prior login [2].

Exploitation

Requirements

However, exploitation is not straightforward. The advisory from Redguard AG notes that successful exploitation requires specific conditions — most notably that the opener property is correctly set in the browser context [2]. This limits the attack surface; a typical reflected XSS scenario where an attacker sends a crafted link to a victim would only succeed if the victim's session meets these prerequisites. The official description confirms that exploitation is 'limited to specific conditions where opener is correctly set' [1].

Impact

If an attacker successfully exploits this, they can execute arbitrary JavaScript in the context of the victim's session on the phpLDAPadmin application. This could allow actions such as session token theft, LDAP tree manipulation, or other actions the victim can perform, potentially compromising the LDAP management interface [2].

Mitigation

Status

At the time of publication, the phpLDAPadmin development team had not addressed this vulnerability despite a Coordinated Vulnerability Disclosure initiated by Redguard AG in July 2024 [2]. As of 2024-12-19, no patch or workaround has been released, and the software remains unpatched [2]. Since phpLDAPadmin is widely used for managing LDAP directories, administrators should restrict network access to the application and consider additional monitoring.