This issue is classified as low severity. It is fixed in version 9.3.
Debian source packages are available here: https://www.ldap-account-manager.org/static/debian-packages/ Am 19.09.25 um 06:16 schrieb Salvatore Bonaccorso:
Source: ldap-account-manager Version: 9.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Hi, The following vulnerability was published for ldap-account-manager. CVE-2025-58174[0]: | LDAP Account Manager (LAM) is a webfrontend for managing entries | stored in an LDAP directory. LAM before 9.3 allows stored cross-site | scripting in the Profile section via the profile name field, which | renders untrusted input as HTML and executes a supplied script (for | example a script element). An authenticated user with permission to | create or edit a profile can insert a script payload into the | profile name and have it executed when the profile data is viewed in | a browser. This issue is fixed in version 9.3. No known workarounds | are mentioned. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-58174 https://www.cve.org/CVERecord?id=CVE-2025-58174 [1] https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-6gqg-wm9x-5x3m Please adjust the affected versions in the BTS as needed. Regards, Salvatore
