CVE-2022-24851

Name of the Vulnerable Software and Affected Versions LDAP Account Manager (LAM) versions prior to 7.9.1

Description The profile editor tool in LDAP Account Manager (LAM) has an edit profile functionality where parameters are not properly sanitized, leading to stored XSS attacks. An authenticated user can store XSS payloads in profiles, which are triggered when another user accesses the edit profile page. The pdf editor tool also has an edit pdf profile functionality with a logoFile parameter that is not properly sanitized, allowing users to enter relative paths to access files. Both issues require an attacker to be able to login to the LAM admin interface.

Recommendations For versions prior to 7.9.1, update to version 7.9.1 to resolve the issue. As a temporary workaround, consider disabling the edit profile functionality and the pdf editor tool until the update is applied. Restrict access to the admin interface to minimize the risk of exploitation. Avoid using the logoFile parameter in the pdf editor tool until the issue is resolved.