From secunia security advisory at $URL: Description: Input passed via the "base" parameter to cmd.php (when "cmd" is set to "query_engine") is not properly sanitised in lib/QueryRender.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is confirmed in version 1.2.2. Other versions may also be affected. Solution Fixed in the git repository. Original Advisory https://sourceforge.net/tracker/index.php?func=detail&aid=3477910&group_id=61828&atid=498546 http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin;a=commit;h=7dc8d57d6952fe681cb9e8818df7f103220457bd
net-nds/phpldapadmin-1.2.2-r1 with the patch added to the tree.
thanks Jorge, closing
CVE-2012-0834 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0834): Cross-site scripting (XSS) vulnerability in lib/QueryRender.php in phpLDAPadmin 1.2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the base parameter in a query_engine action to cmd.php.