Medium severity4.6OSV Advisory· Published Sep 16, 2025· Updated Apr 15, 2026
CVE-2025-58174
CVE-2025-58174
Description
LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM before 9.3 allows stored cross-site scripting in the Profile section via the profile name field, which renders untrusted input as HTML and executes a supplied script (for example a script element). An authenticated user with permission to create or edit a profile can insert a script payload into the profile name and have it executed when the profile data is viewed in a browser. This issue is fixed in version 9.3. No known workarounds are mentioned.
Affected products
1- Range: 8.5, 8.6, 8.6.RC1, …
Patches
15 files changed · +6 −6
lam/HISTORY+1 −1 modified@@ -1,4 +1,4 @@ -September 2025 9.3 +16.09.2025 9.3 - New translation: Greek - Tree view: added comparison feature (440) - Windows: added logon hours (457)
lam-packaging/debian/changelog+2 −2 modified@@ -1,8 +1,8 @@ -ldap-account-manager (9.3.RC1-1) unstable; urgency=medium +ldap-account-manager (9.3-1) unstable; urgency=medium * new upstream release - -- Roland Gruber <post@rolandgruber.de> Mon, 01 Sep 2025 20:11:26 +0200 + -- Roland Gruber <post@rolandgruber.de> Mon, 15 Sep 2025 07:11:26 +0200 ldap-account-manager (9.2-1) unstable; urgency=medium
lam-packaging/docker/docker-compose.yml+1 −1 modified@@ -3,7 +3,7 @@ services: ldap-account-manager: build: context: . - image: ldapaccountmanager/lam:9.3.RC1 + image: ldapaccountmanager/lam:9.3 restart: unless-stopped ports: - "8080:80"
lam-packaging/docker/Dockerfile+1 −1 modified@@ -29,7 +29,7 @@ FROM debian:bookworm-slim LABEL maintainer="Roland Gruber <post@rolandgruber.de>" -ARG LAM_RELEASE=9.3.RC1 +ARG LAM_RELEASE=9.3 EXPOSE 80 ENV \
lam/VERSION+1 −1 modified@@ -1 +1 @@ -9.3.RC1 +9.3
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.