CVE-2025-58174: 
Linux Debian vulnerability analysis and mitigation

LDAP Account Manager (LAM), a webfrontend for managing LDAP directory entries, was found to contain a stored cross-site scripting vulnerability (CVE-2025-58174) in versions before 9.3. The vulnerability was discovered and disclosed on September 16, 2025. The issue specifically affects the Profile section of the application, where the profile name field is susceptible to XSS attacks (GitHub Advisory, NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has been assigned a CVSS v3.1 base score of 4.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N. The technical nature of the vulnerability involves the profile name field rendering untrusted input as HTML and executing supplied scripts, such as script elements (GitHub Advisory).

The vulnerability allows authenticated users with profile creation or editing permissions to insert malicious script payloads into profile names. When these profile names are viewed in a browser, the injected scripts are executed, potentially leading to information disclosure and unauthorized actions within the application (GitHub Advisory).

The vulnerability has been fixed in LAM version 9.3. No known workarounds were mentioned for affected versions. Users are advised to upgrade to version 9.3 or later to address this security issue (NVD).