phpLDAPadmin contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the URL upon submission to the cmd.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Currently, there are no known workarounds or upgrades to correct this issue. However, a fix has been released in the GIT repository to address this vulnerability. Check the vendor advisory or solution in the references section.

Unknown or Incomplete

• CVE ID: 2011-4074 (see also: NVD)
• Secunia Advisory ID: 46551 46672 46990
• Bugtraq ID: 50331
• Related OSVDB ID: 76594
• Vendor Specific News/Changelog Entry: http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069724.html
  http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin;a=blobdiff;f=htdocs/cmd.php;h=0ddf0044355abc94160be73122eb34f3e48ab2d9;hp=34f3848fe4a6d4c00c7c568afa81f59579f5d724;hb=64668e882b8866fae0fa1b25375d1a2f3b4672e2;hpb=caeba7217
  http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page
  http://sourceforge.net/tracker/index.php?func=detail&aid=3417184&group_id=61828&atid=498546
  http://www.debian.org/security/2011/dsa-2333
  https://bugzilla.redhat.com/show_bug.cgi?id=748537
• Other Advisory URL: http://openwall.com/lists/oss-security/2011/10/24/9
  http://openwall.com/lists/oss-security/2011/10/25/2
• Mail List Post: http://seclists.org/bugtraq/2012/Feb/5

Unknown or Incomplete