phpldapadmin 1.2.5 vulnerable to stored cross site scripting

Bug #1906474 reported by Andy Gu
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
phpldapadmin (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Hi! I noticed that phpldapadmin versions up to v1.2.5 has a stored cross-site scripting vulnerability when confirming to change a field. I have attached details in this Github issue:

https://github.com/leenooks/phpLDAPadmin/issues/130

The maintainer noted that 1.2.6 is not vulnerable, but I wanted to report upstream in case it is assigned here.

CVE References

Revision history for this message
Andy Gu (everykittysdaydream) wrote :

I apologize for the public disclosure on Github -- I was following the disclosure policy described on that site. I also transferred the report here in haste.

information type: Private Security → Public Security
Changed in phpldapadmin (Ubuntu):
status: New → Confirmed
Revision history for this message
Andy Gu (everykittysdaydream) wrote :

Hi @Seth-arnold! Do you know if a CVE has been assigned for this ticket, if applicable?

Revision history for this message
Seth Arnold (seth-arnold) wrote : Re: [Bug 1906474] Re: phpldapadmin 1.2.5 vulnerable to stored cross site scripting

On Thu, Dec 10, 2020 at 08:22:07PM -0000, Andy Gu wrote:
> Hi @Seth-arnold! Do you know if a CVE has been assigned for this ticket,
> if applicable?

Thanks for the reminder.

Revision history for this message
Alex Murray (alexmurray) wrote :

CVE-2020-35132 was assigned by MITRE for this issue.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package phpldapadmin - 1.2.6.3-0.2

---------------
phpldapadmin (1.2.6.3-0.2) unstable; urgency=medium

  * Non-maintainer upload
  * Previous changelog also closed:
  * Make build reproducible (Closes: #834279)
  * Update to github new upstream release (Closes: #952635)
  * Fix CVE-2020-35132 (Closes: #987355)
  * Add japanese translation (Closes: #717205)
    - thanks victory for the patch

 -- Gianfranco Costamagna <email address hidden> Thu, 27 Jan 2022 17:56:42 +0100

Changed in phpldapadmin (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.