Jonaslejon

**Name of the Vulnerable Software and Affected Versions** LDAP Account Manager versions prior to 9.5 **Description** LDAP Account Manager (LAM) is a web interface used to manage entries in an LDAP directory, such as users, groups, and DHCP settings. A local file inclusion issue was identified in the PDF export functionality in versions prior to 9.5. This allows users to include local PHP files and execute code. Exploitation requires a user to be logged into LAM. Combining this with another issue allows for arbitrary code execution. **Recommendations** Versions prior to 9.5 should be upgraded to version 9.5. As a workaround, make the `/var/lib/ldap-account-manager/config` directory read-only for the web server user. Delete the PDF profile files to disable PDF exports.

**Name of the Vulnerable Software and Affected Versions** LDAP Account Manager versions prior to 9.5 **Description** LDAP Account Manager (LAM) is a web frontend used for managing entries in an LDAP directory, such as users, groups, and DHCP settings. Before version 9.5, the PDF export component does not properly validate file extensions during file uploads, allowing any file type, including `.php` files, to be uploaded. This can lead to remote code execution as the web server user. The vulnerable component allows an attacker to upload malicious files, potentially compromising the system. **Recommendations** Versions prior to 9.5 should be upgraded to version 9.5 or later. As a workaround, make the `/var/lib/ldap-account-manager/config` directory read-only for the web server user.