CVE-2022-24851 – CVE-2022-24851 is a stored cross-site scripting... (How to Fix)

Q: What is the severity of CVE-2022-24851?

CVE-2022-24851 has a CVSS score of 8.1 (HIGH). CVE-2022-24851 is a stored cross-site scripting (XSS) vulnerability in LDAP Account Manager (LAM) that allows authenticated attackers to inject malicious scripts into profile configurations. These scripts execute when other users access the affected profile pages, potentially stealing credentials or performing unauthorized actions. The vulnerability also includes a path traversal issue in PDF profile logos that could expose sensitive files.

📋 TL;DR

CVE-2022-24851 is a stored cross-site scripting (XSS) vulnerability in LDAP Account Manager (LAM) that allows authenticated attackers to inject malicious scripts into profile configurations. These scripts execute when other users access the affected profile pages, potentially stealing credentials or performing unauthorized actions. The vulnerability also includes a path traversal issue in PDF profile logos that could expose sensitive files.

💻 Affected Systems

Products:

LDAP Account Manager (LAM)

Versions: All versions before 7.9.1

Operating Systems: All platforms running LAM

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to LAM admin interface; both profile editor and PDF editor tools are affected.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Ldap Account Manager by Ldap Account Manager

View all CVEs affecting Ldap Account Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated malicious admin could steal session cookies, credentials, or perform administrative actions as other users, potentially compromising the entire LDAP directory management system.

🟠

Likely Case

Authenticated attackers with malicious intent could perform session hijacking, credential theft, or limited unauthorized actions against other LAM users.

🟢

If Mitigated

With proper authentication controls and user education, impact is limited to authenticated users only, reducing exposure to trusted personnel.

🌐 Internet-Facing: HIGH if LAM is exposed to the internet, as authenticated attackers could exploit it remotely.

🏢 Internal Only: MEDIUM as it requires authenticated access, limiting exposure to internal users with LAM credentials.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access; XSS payloads can be injected via profile parameters and path traversal via logoFile parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.9.1

Vendor Advisory: https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-f2fr-cccr-583v

Restart Required: Yes

Instructions:

1. Backup current LAM configuration and data. 2. Download LAM version 7.9.1 or later from official repository. 3. Replace existing installation with new version. 4. Restart web server service. 5. Verify functionality.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation and output encoding for profile parameters

Modify LAM source code to sanitize profile parameters and logoFile inputs

Access Restriction

all

Restrict LAM admin interface access to trusted users only

Configure web server to limit LAM access to specific IP ranges or VPN users

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
Monitor and audit LAM admin user activities for suspicious profile modifications

🔍 How to Verify

Check if Vulnerable:

Check LAM version via web interface or configuration files; versions below 7.9.1 are vulnerable.

Check Version:

Check /usr/share/ldap-account-manager/version or web interface version display

Verify Fix Applied:

Verify LAM version is 7.9.1 or higher and test profile editor for parameter sanitization.

📡 Detection & Monitoring

Log Indicators:

Unusual profile modifications
Multiple failed login attempts followed by profile changes
Requests containing XSS payload patterns in profile parameters

Network Indicators:

HTTP requests with suspicious parameters to profile editor endpoints
Unusual file path patterns in logoFile parameters

SIEM Query:

source="lam_logs" AND (event="profile_edit" AND (param CONTAINS "<script>" OR param CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2022-24851

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-22

Published: April 15, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/LDAPAccountManager/lam/commit/3c6f09a3579e048e224eb5a4c4e3eefaa8bccd49 Patch,Third Party Advisory
https://github.com/LDAPAccountManager/lam/issues/170 Exploit,Patch,Third Party Advisory
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-f2fr-cccr-583v Patch,Third Party Advisory
https://www.debian.org/security/2022/dsa-5177 Third Party Advisory
https://github.com/LDAPAccountManager/lam/commit/3c6f09a3579e048e224eb5a4c4e3eefaa8bccd49 Patch,Third Party Advisory
https://github.com/LDAPAccountManager/lam/issues/170 Exploit,Patch,Third Party Advisory
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-f2fr-cccr-583v Patch,Third Party Advisory
https://www.debian.org/security/2022/dsa-5177 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24851, you might also want to check these: