Executive Summary
| Summary | |
|---|---|
| Title | New ldap-account-manager packages fix multiple vulnerabilities |
| Informations | |||
|---|---|---|---|
| Name | DSA-1287 | First vendor Publication | 2007-05-07 |
| Vendor | Debian | Last vendor Modification | 2007-05-07 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 7.2 | Attack Range | Local |
| Cvss Impact Score | 10 | Attack Complexity | Low |
| Cvss Expoit Score | 3.9 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Two vulnerabilities have been identified in the version of ldap-account-manager shipped with Debian 3.1 (sarge). CVE-2006-7191 An untrusted PATH vulnerability could allow a local attacker to execute arbitrary code with elevated privileges by providing a malicious rm executable and specifying a PATH environment variable referencing this executable. CVE-2007-1840 Improper escaping of HTML content could allow an attacker to execute a cross-site scripting attack (XSS) and execute arbitrary code in the victim's browser in the security context of the affected web site. For the old stable distribution (sarge), this problem has been fixed in version 0.4.9-2sarge1. Newer versions of Debian (etch, lenny, and sid), are not affected. We recommend that you upgrade your ldap-account-manager package. |
Original Source
| Url : http://www.debian.org/security/2007/dsa-1287 |
CAPEC : Common Attack Pattern Enumeration & Classification
| Id | Name |
|---|---|
| CAPEC-21 | Exploitation of Session Variables, Resource IDs and other Trusted Credentials |
| CAPEC-31 | Accessing/Intercepting/Modifying HTTP Cookies |
| CAPEC-167 | Lifting Sensitive Data from the Client |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-01-17 | Name : Debian Security Advisory DSA 1287-1 (ldap-account-manager (0.4.9-2sarge1)) File : nvt/deb_1287_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 35457 | LDAP Account Manager (LAM) lamdaemon.pl PATH Subversion Local Privilege Escal... |
| 34538 | LDAP Account Manager (LAM) lib/modules.inc LDAP Data Input Filtering Weakness |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2007-05-10 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1287.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:26:36 |
|
