LDAP Account Manager Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in LDAP Account Manager (LAM) versions prior to 9.3. The issue resides in the Profile section, where the profile name field fails to properly sanitize untrusted input, allowing scripts to be executed in the user's browser. An authenticated user with the ability to create or edit profiles can exploit this by injecting a script payload into the profile name, which is then executed when the profile is viewed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the profile.

Reproduction

To reproduce this vulnerability, log into LAM version 8.7 and navigate to the Profile section. Create a new profile and enter a script, such as a script element, into the profile name field. Once the profile is saved, the injected script will be executed when the profile data is viewed in a browser.

Remediation

Users are advised to update to LAM version 9.3, where this vulnerability has been fixed.