Michal Kedzior

#18268of 53,638
14.9Total CVSS
Vulnerabilities · 2
Medium
1
High
1
PT-2018-18618
6.1
2018-03-27
Unknown · Ldap Account Manager · CVE-2018-8763
**Name of the Vulnerable Software and Affected Versions** LDAP Account Manager versions prior to 6.3 **Description** The issue allows for XSS via the `dn` parameter to the "templates/3rdParty/pla/htdocs/cmd.php" URI or the `template` parameter to the "templates/3rdParty/pla/htdocs/cmd.php?cmd=rename form" URI. **Recommendations** For versions prior to 6.3, update to version 6.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "cmd.php" endpoint and avoiding the use of the `dn` and `template` parameters in the affected URIs until the issue is resolved.
PT-2018-18619
8.8
2018-03-27
Unknown · Ldap Account Manager · CVE-2018-8764
**Name of the Vulnerable Software and Affected Versions** LDAP Account Manager versions prior to 6.3 **Description** The issue makes it easier for remote attackers to defeat a CSRF protection mechanism by leveraging logging, as the CSRF token is placed in the `sec token` parameter of a URI. **Recommendations** For versions prior to 6.3, update to version 6.3 or later to resolve the issue.