How severe is CVE-2024-52792?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2024-52792?

This is classified as CWE-610, which is a common weakness in software security.

CVE-2024-52792 - MEDIUM Severity | CVSS 6.5

Vulnerability Description

LDAP Account Manager (LAM) is a php webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In affected versions LAM does not properly sanitize configuration values, that are set via `mainmanage.php` and `confmain.php`. This allows setting arbitrary config values and thus effectively bypassing `mitigation` of CVE-2024-23333/GHSA-fm9w-7m7v-wxqv. Configuration values for the main config or server profiles are set via `mainmanage.php` and `confmain.php`. The values are written to `config.cfg` or `serverprofile.conf` in the format of `settingsName: settingsValue` line-by-line. An attacker can smuggle arbitrary config values in a config file, by inserting a newline into certain config fields, followed by the value. This vulnerability has been addressed in version 9.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Related Vulnerabilities

CVE-2017-18357

MEDIUM

CVSS:6.5(Medium)

Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via...

CWE-6102017

CVE-2020-21363

MEDIUM

CVSS:6.5(Medium)

An arbitrary file deletion vulnerability exists within Maccms10.

CWE-6102020

CVE-2021-26920

MEDIUM

CVSS:6.5(Medium)

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intend...

CWE-6102021

CVE-2021-3779

MEDIUM

CVSS:6.5(Medium)

A malicious MySQL server can request local file content from a client using ruby-mysql prior to version 2.10.0 without explicit authorization from the user. This issue was resolved in version 2.10.0 a...

CWE-6102021

CVE-2022-30245

MEDIUM

CVSS:6.5(Medium)

Honeywell Alerton Compass Software 1.6.5 allows unauthenticated configuration changes from remote users. This enables configuration data to be stored on the controller and then implemented. A user wit...

CWE-6102022

CVE-2022-3032

MEDIUM

CVSS:6.5(Medium)

When receiving an HTML email that contained an <code>iframe</code> element, which used a <code>srcdoc</code> attribute to define the inner HTML document, remote objects specified in the nested documen...

CWE-6102022