CVE-2022-24851

Name: CVE-2022-24851
Creator: NVD / NIST
Published: 2022-04-15T19:15:12.383+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 4.8/10EPSS 1.05%

Last modified Jun 17, 2026

CVE-2022-24851 is a medium-severity vulnerability rated 4.8/10 on the CVSS scale. LDAP Account Manager (LAM) is an open source web frontend for managing entries stored in an LDAP directory. The profile editor tool has an edit profile functionality, the parameters on this page are not properly sanitized and hence leads to stored XSS attacks. EPSS estimates a 1.05% chance of exploitation in the next 30 days.

Description

LDAP Account Manager (LAM) is an open source web frontend for managing entries stored in an LDAP directory. The profile editor tool has an edit profile functionality, the parameters on this page are not properly sanitized and hence leads to stored XSS attacks. An authenticated user can store XSS payloads in the profiles, which gets triggered when any other user try to access the edit profile page. The pdf editor tool has an edit pdf profile functionality, the logoFile parameter in it is not properly sanitized and an user can enter relative paths like ../../../../../../../../../../../../../usr/share/icons/hicolor/48x48/apps/gvim.png via tools like burpsuite. Later when a pdf is exported using the edited profile the pdf icon has the image on that path(if image is present). Both issues require an attacker to be able to login to LAM admin interface. The issue is fixed in version 7.9.1.

Metrics

CVSS 3.1

4.8/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

EPSS Probability

1.05%

60.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Ldap-Account-Manager	Ldap Account Manager	< 7.9.1
Debian	Debian Linux	11.0

References

https://github.com/LDAPAccountManager/lam/commit/3c6f09a3579e048e224eb5a4c4e3eefaa8bccd49Patch, Third Party Advisory
https://github.com/LDAPAccountManager/lam/issues/170Exploit, Patch, Third Party Advisory
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-f2fr-cccr-583vPatch, Third Party Advisory
https://www.debian.org/security/2022/dsa-5177Third Party Advisory
https://github.com/LDAPAccountManager/lam/commit/3c6f09a3579e048e224eb5a4c4e3eefaa8bccd49Patch, Third Party Advisory
https://github.com/LDAPAccountManager/lam/issues/170Exploit, Patch, Third Party Advisory
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-f2fr-cccr-583vPatch, Third Party Advisory
https://www.debian.org/security/2022/dsa-5177Third Party Advisory

Timeline

Published: Apr 15, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-24851?

How severe is CVE-2022-24851?

CVE-2022-24851 has a CVSS score of 4.8/10 (MEDIUM severity). The EPSS model estimates a 1.05% probability of exploitation in the next 30 days.

How do I fix CVE-2022-24851?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-24851?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST