CVE-2024-9101

Name of the Vulnerable Software and Affected Versions phpLDAPadmin versions 1.2.1 through 1.2.6.7

Description A reflected cross-site scripting (XSS) issue in the 'Entry Chooser' of phpLDAPadmin allows attackers to execute arbitrary JavaScript in the user's browser via the element parameter, which is unsafely passed to the JavaScript eval function. However, exploitation is limited to specific conditions where opener is correctly set.

Recommendations For phpLDAPadmin versions 1.2.1 through 1.2.6.7, as a temporary workaround, consider restricting the use of the 'Entry Chooser' feature until a patch is available. Avoid using the element parameter in the affected component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.