CVE-2024-9102

medium

Description

phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Thus, this could lead to CSV Formula Injection. NOTE: This vulnerability will not be addressed, the maintainer's position is that it is not the intention of phpLDAPadmin to control what data Administrators can put in their LDAP database, nor filter it on export.

References

https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin/

https://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.0

https://github.com/leenooks/phpLDAPadmin/issues/274#issuecomment-2586859072

https://github.com/leenooks/phpLDAPadmin/commit/ea17aadef46fd29850160987fe7740ceed1381ad#diff-93b9f3e6d4c5bdacf469ea0ec74c1e9217ca6272da9be5a1bfd711f7da16f9e3R240

Details

Source: Mitre, NVD

Published: 2024-12-19

Updated: 2025-04-16

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:C

Severity: High

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Severity: Medium

CVSS v4

Base Score: 5

Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:L

Severity: Medium

EPSS

EPSS: 0.00099