Summary: | <net-nds/phpldapadmin-1.2.1.1-r1: Cross-Site Scripting and Code Injection Vulnerabilities (CVE-2011-{4074,4075}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | jmbsvicetto, vostorga, web-apps |
Priority: | Normal | Keywords: | InVCS |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/46551/ | ||
Whiteboard: | ~1 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2011-10-24 15:56:30 UTC
phpldapadmin-1.2.1.1-r1 committed to tree with the security patches. Great, thanks, closing noglsa for ~arch only package. CVE-2011-4075 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4075): The masort function in lib/functions.php in phpLDAPadmin 1.2.x before 1.2.2 allows remote attackers to execute arbitrary PHP code via the orderby parameter (aka sortby variable) in a query_engine action to cmd.php, as exploited in the wild in October 2011. CVE-2011-4074 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4074): Cross-site scripting (XSS) vulnerability in cmd.php in phpLDAPadmin 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via an _debug command. |