PT-2024-39431 · Unknown+2 · Phpldapadmin+2
Andreas Pfefferle
·
Published
2024-12-19
·
Updated
2025-11-17
·
CVE-2024-9102
CVSS v4.0
5.0
Medium
| Vector | AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
phpLDAPadmin versions 1.2.0 through 1.2.6.7
Description
The issue allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. This could lead to CSV Formula Injection.
Recommendations
For phpLDAPadmin versions 1.2.0 through 1.2.6.7, consider disabling the export functionality to CSV files until a patch is available to neutralize special elements. Restrict access to the export feature to minimize the risk of exploitation. Avoid opening CSV files exported from the LDAP directory in spreadsheet products that could interpret special elements as commands.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Red Os
Phpldapadmin