CVE-2025-58174
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-58174
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-58174.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-58174
- Aliases
-
- GHSA-6gqg-wm9x-5x3m
- Downstream
- Published
- 2025-09-16T17:15:41Z
- Modified
- 2025-09-18T04:58:40.207252Z
- Summary
- [none]
- Details
-
LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM before 9.3 allows stored cross-site scripting in the Profile section via the profile name field, which renders untrusted input as HTML and executes a supplied script (for example a script element). An authenticated user with permission to create or edit a profile can insert a script payload into the profile name and have it executed when the profile data is viewed in a browser. This issue is fixed in version 9.3. No known workarounds are mentioned.
- References
Affected packages
Git / github.com/ldapaccountmanager/lam
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ldapaccountmanager/lam
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
8.*
8.5
8.6
8.6.RC1
8.7
8.7.RC1
8.8
8.8.RC1
8.9
8.9.RC1
9.*
9.0
9.0.RC1
9.1
9.1.RC1
9.2
9.2.RC1
9.3.RC1
Other
lam_5_4
lam_5_4_RC1
lam_5_5
lam_5_5_RC1
lam_5_6
lam_5_6_RC1
lam_5_7
lam_5_7_RC1
lam_6_0
lam_6_0_1
lam_6_0_RC1
lam_6_0_RC2
lam_6_1
lam_6_1_RC1
lam_6_2
lam_6_2_1
lam_6_2_RC1
lam_6_3
lam_6_3_RC1
lam_6_4
lam_6_4_RC1
lam_6_5
lam_6_5_RC1
lam_6_6
lam_6_6_RC1
lam_6_7
lam_6_7_RC1
lam_6_8
lam_6_8_RC1
lam_6_9
lam_6_9_RC1
lam_7_0
lam_7_0_RC1
lam_7_1
lam_7_1_RC1
lam_7_2
lam_7_2_RC1
lam_7_3
lam_7_3_RC1
lam_7_4
lam_7_4_RC1
lam_7_5
lam_7_5_RC1
lam_7_6
lam_7_6_RC1
lam_7_7
lam_7_7_RC1
lam_7_8
lam_7_8_RC1
lam_7_9
lam_7_9_1
lam_7_9_RC1
lam_8_0
lam_8_0_1
lam_8_0_RC1
lam_8_1
lam_8_1_RC1
lam_8_2
lam_8_2_RC1
lam_8_3
lam_8_3_RC1
lam_8_4
lam_8_4_RC1
lam_8_5_RC1
untagged-0f11e4b04e249cac51c5