Phpipam before v1.5.2 was discovered to contain a LDAP injection vulnerability via the dname parameter at /users/ad-search-result.php. This vulnerability allows attackers to enumerate arbitrary fields in the LDAP server and access sensitive data via a crafted POST request.
References
Link | Resource |
---|---|
https://github.com/ehtec/phpipam-exploit | Exploit Third Party Advisory |
https://github.com/phpipam/phpipam/commit/c451085476074943eb4056941005c0b61db566c5 | Patch |
https://github.com/ehtec/phpipam-exploit | Exploit Third Party Advisory |
https://github.com/phpipam/phpipam/commit/c451085476074943eb4056941005c0b61db566c5 | Patch |
Configurations
History
21 Nov 2024, 08:21
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-10-02 13:15
Updated : 2024-11-21 08:21
NVD link : CVE-2023-41580
Mitre link : CVE-2023-41580
CVE.ORG link : CVE-2023-41580
JSON object : View
Products Affected
phpipam
- phpipam
CWE
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')