| Name | CVE-2025-58174 |
| Description | LDAP Account Manager (LAM) is a webfrontend for managing entries stored in an LDAP directory. LAM before 9.3 allows stored cross-site scripting in the Profile section via the profile name field, which renders untrusted input as HTML and executes a supplied script (for example a script element). An authenticated user with permission to create or edit a profile can insert a script payload into the profile name and have it executed when the profile data is viewed in a browser. This issue is fixed in version 9.3. No known workarounds are mentioned. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1115656 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| ldap-account-manager (PTS) | bullseye (security), bullseye | 8.0.1-0+deb11u1 | vulnerable |
| bookworm | 8.3-1 | vulnerable |
| forky, sid, trixie | 9.0-1 | vulnerable |
The information below is based on the following data on fixed versions.
Notes
[trixie] - ldap-account-manager <no-dsa> (Minor issue)
[bookworm] - ldap-account-manager <no-dsa> (Minor issue)
[bullseye] - ldap-account-manager <postponed> (Minor issue)
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-6gqg-wm9x-5x3m