CVE-2022-24851 is a security vulnerability affecting LDAP Account Manager (LAM), an open-source web frontend used for managing LDAP directory entries. The vulnerability involves two main issues: a stored Cross-Site Scripting (XSS) flaw and a path traversal weakness related to profile editing functionalities. Specifically, the profile editor tool in LAM versions prior to 7.9.1 does not properly sanitize input parameters on the edit profile page. This allows an authenticated user to inject malicious scripts (stored XSS payloads) into user profiles. When other users access the edit profile page, these scripts execute in their browsers, potentially leading to session hijacking, credential theft, or other malicious actions within the context of the LAM web interface. The second issue is found in the PDF editor tool’s edit pdf profile functionality. The logoFile parameter is vulnerable to improper input validation, allowing an attacker to specify relative file paths (e.g., '../../../../../../../../../../../../../usr/share/icons/hicolor/48x48/apps/gvim.png'). When a PDF is exported using the manipulated profile, the PDF icon may load an image from the specified path if it exists on the server. This path traversal can potentially expose sensitive files or be used to manipulate the PDF generation process. Both vulnerabilities require the attacker to have authenticated access to the LAM admin interface, limiting exploitation to users with valid credentials. The issues were addressed and fixed in LAM version 7.9.1. No known exploits have been reported in the wild as of the publication date. The vulnerabilities are categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e., Cross-site Scripting) and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e., Path Traversal).

For European organizations using LDAP Account Manager versions prior to 7.9.1, these vulnerabilities pose a moderate security risk. The stored XSS vulnerability can allow an authenticated attacker to execute arbitrary JavaScript in the context of other users’ browsers accessing the LAM interface, potentially leading to session hijacking, unauthorized actions, or data leakage within the LDAP management environment. This can undermine the integrity and confidentiality of LDAP directory data and administrative operations. The path traversal vulnerability in the PDF editor could allow attackers to access or leak sensitive files on the server or manipulate PDF exports, which may result in information disclosure or disruption of document workflows. Since exploitation requires authenticated access, the threat is primarily from insider threats or compromised credentials. However, given that LAM is often used in enterprise environments to manage critical directory services, successful exploitation could impact availability and integrity of directory management processes, affecting user authentication and authorization systems. The lack of known exploits reduces immediate risk, but organizations should not underestimate the potential for targeted attacks, especially in sectors with high-value data or critical infrastructure. Overall, the vulnerabilities could lead to moderate confidentiality and integrity impacts, with limited availability concerns.

1. Immediate upgrade to LDAP Account Manager version 7.9.1 or later to apply the official patches addressing both the stored XSS and path traversal vulnerabilities. 2. Restrict administrative access to the LAM interface using network segmentation, VPNs, or IP whitelisting to reduce exposure to unauthorized users. 3. Implement strong authentication mechanisms for LAM, such as multi-factor authentication (MFA), to mitigate risks from compromised credentials. 4. Conduct regular audits of user accounts and permissions within LAM to detect and remove unauthorized or suspicious users. 5. Monitor web server logs and application logs for unusual activity related to profile editing or PDF exports that could indicate exploitation attempts. 6. Employ Content Security Policy (CSP) headers on the LAM web interface to limit the impact of potential XSS payloads by restricting script execution sources. 7. Review and harden file system permissions on the server hosting LAM to prevent unauthorized access to sensitive files that could be exposed via path traversal. 8. Educate administrators on the risks of injecting untrusted content and encourage cautious use of profile editing features. 9. If upgrading immediately is not feasible, consider disabling or restricting access to the profile editor and PDF export functionalities until patched.