PT-2019-10244 · Php · Phamm

H33Raj

·

Published

2019-03-15

·

Updated

2019-03-18

·

CVE-2018-20806

CVSS v3.1

6.1

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions: Phamm (aka PHP LDAP Virtual Hosting Manager) version 0.6.8
Description: The issue allows for XSS via the login page, specifically through the "action" parameter in the /public/main.php API endpoint.
Recommendations: For Phamm (aka PHP LDAP Virtual Hosting Manager) version 0.6.8, consider restricting access to the /public/main.php API endpoint until a patch is available, and avoid using the action parameter in this endpoint to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2018-20806

Affected Products

Phamm