UBUNTU-CVE-2022-24851

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2022-24851

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-24851.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2022-24851

Related

CVE-2022-24851

Published

2022-04-15T19:15:00Z

Modified

2024-10-28T16:32:04Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

LDAP Account Manager (LAM) is an open source web frontend for managing entries stored in an LDAP directory. The profile editor tool has an edit profile functionality, the parameters on this page are not properly sanitized and hence leads to stored XSS attacks. An authenticated user can store XSS payloads in the profiles, which gets triggered when any other user try to access the edit profile page. The pdf editor tool has an edit pdf profile functionality, the logoFile parameter in it is not properly sanitized and an user can enter relative paths like ../../../../../../../../../../../../../usr/share/icons/hicolor/48x48/apps/gvim.png via tools like burpsuite. Later when a pdf is exported using the edited profile the pdf icon has the image on that path(if image is present). Both issues require an attacker to be able to login to LAM admin interface. The issue is fixed in version 7.9.1.

References

Affected packages

Ubuntu:Pro:16.04:LTS / ldap-account-manager

Package

Name: ldap-account-manager
Purl: pkg:deb/ubuntu/ldap-account-manager?arch=src?distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.9-1

5.*

5.1-1

5.2-1

5.2-1ubuntu1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:18.04:LTS / ldap-account-manager

Package

Name: ldap-account-manager
Purl: pkg:deb/ubuntu/ldap-account-manager?arch=src?distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.7-1

6.*

6.1-1

6.2-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / ldap-account-manager

Package

Name: ldap-account-manager
Purl: pkg:deb/ubuntu/ldap-account-manager?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.7-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / ldap-account-manager

Package

Name: ldap-account-manager
Purl: pkg:deb/ubuntu/ldap-account-manager?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

7.*

7.5-1

7.7-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}