CVE-2025-58174: 
Linux Debian vulnerability analysis and mitigation

LDAP Account Manager (LAM), a webfrontend for managing LDAP directory entries, was found to contain a stored cross-site scripting vulnerability (CVE-2025-58174) in versions before 9.3. The vulnerability was discovered and disclosed on September 16, 2025 (GitHub Advisory, NVD).

The vulnerability exists in the Profile section of LAM, specifically in the profile name field, which renders untrusted input as HTML and executes supplied scripts. The issue has been assigned a CVSS v3.1 base score of 4.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N, indicating network accessibility with low attack complexity, required privileges, and user interaction (GitHub Advisory).

An authenticated user with permission to create or edit a profile can insert a script payload into the profile name, which will be executed when the profile data is viewed in a browser. This could potentially allow attackers to view information and perform actions within the application (GitHub Advisory).

The vulnerability has been fixed in LAM version 9.3. No known workarounds are mentioned for affected versions (NVD).