CVE-2022-31086 MEDIUM

CVE-2022-31086: Incorrect Regular Expressions in ldap-account-manager

Vendor Ldapaccountmanager
Product lam
Weakness CWE-74
Published June 27, 2022
Last update April 23, 2025

CVSS base score

6.6/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the /config/templates/pdf/ directory is accessible for remote users. This is not a default configuration of LAM. This issue has been fixed in version 8.0. There are no known workarounds for this issue.

Key dates

02Disclosure timeline

June 27, 2022 CVE published
April 23, 2025 Record updated