Wiz
Vulnerability DatabaseCVE-2024-9101

CVE-2024-9101
Linux Debian vulnerability analysis and mitigation

Overview

A reflected cross-site scripting (XSS) vulnerability has been identified in phpLDAPadmin versions 1.2.1 through 1.2.6.7 (the latest version). The vulnerability exists in the 'Entry Chooser' feature, where user input from the 'element' parameter is unsafely passed to the JavaScript 'eval' function, potentially allowing attackers to execute arbitrary JavaScript code in the user's browser. However, exploitation is limited to specific conditions where the 'opener' variable is correctly set (Redguard Advisory).

Technical details

The vulnerability is present in the htdocs/entry_chooser.php file, where the request parameter 'element' is directly appended to a string that is passed to the eval() method without proper sanitization. The vulnerability was introduced in a commit from March 14, 2010. The issue has been assigned a CVSS v4.0 score of 2.1 (LOW) due to the specific conditions required for exploitation, particularly the requirement that the 'opener' variable must be set, which typically occurs only when the 'Entry Chooser' pop-up window is properly opened through the intended workflow (Redguard Advisory).

Impact

The impact of this vulnerability is limited due to the specific conditions required for exploitation. If successfully exploited, an attacker could execute arbitrary JavaScript code in the victim's browser context, potentially leading to cookie theft or other client-side attacks. However, the vulnerability cannot be directly exploited through a simple URL as it requires the 'opener' variable to be properly set (Redguard Advisory).

Mitigation and workarounds

The recommended mitigation is to avoid using the eval() function, especially with user-supplied input. Instead, it is advised to access the DOM element directly in a safe manner. A suggested code fix includes properly escaping user input using htmlspecialchars() and accessing DOM elements directly rather than through eval() (Redguard Advisory).

Community reactions

The vulnerability was discovered during a security assessment by Redguard AG. A Coordinated Vulnerability Disclosure was initiated in July 2024, but the phpLDAPadmin development team had not responded by the time of the public disclosure in December 2024 (Redguard Advisory).

Additional resources

SourceThis report was generated using AI

Related Linux Debian vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-67726HIGH7.5
  • Linux DebianLinux Debian
  • python-tornado
NoNoDec 12, 2025
CVE-2025-67725HIGH7.5
  • Linux DebianLinux Debian
  • python-tornado
NoNoDec 12, 2025
CVE-2025-11266MEDIUM6.8
  • Linux DebianLinux Debian
  • gdcm
NoNoDec 12, 2025
CVE-2025-67749MEDIUM5.3
  • Linux DebianLinux Debian
  • pcsx2
NoNoDec 12, 2025
CVE-2025-40345N/AN/A
  • Linux KernelLinux Kernel
  • kernel-headers
NoYesDec 12, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo