LDAP User Manager Reflected Cross-Site Scripting Vulnerability

A reflected Cross-Site Scripting (XSS) vulnerability exists in LDAP User Manager versions through ce92321. The issue is located in the /setup/index.php endpoint, where the returnto parameter is not properly sanitized, allowing attackers to inject malicious JavaScript. This vulnerability can be exploited by sending a POST request with a crafted delete_user parameter that includes a script payload, which is then executed in the user's browser.

Impact

Exploitation of this vulnerability allows for arbitrary script execution in the user's browser, potentially leading to session hijacking, phishing, or data theft.

Reproduction

To reproduce this vulnerability, send a POST request to the /www/account_manager/index.php endpoint with the delete_user parameter containing a script payload, such as <script>alert('XSS');</script>. The injected script will be reflected in the response and executed in the browser.

Remediation

Sanitize the delete_user parameter using htmlspecialchars() before rendering it in the output. Additionally, implement Cross-Origin Resource Sharing (CORS) protections and a Content Security Policy (CSP) to restrict script execution.