CVE-2024-9102

phpLDAPadmin: Improper Neutralization of Formula Elements

Description

phpLDAPadmin since at least version 1.2.0 through the latest version 1.2.6.7 allows users to export elements from the LDAP directory into a Comma-Separated Value (CSV) file, but it does not neutralize special elements that could be interpreted as a command when the file is opened by a spreadsheet product. Thus, this could lead to CSV Formula Injection. NOTE: This vulnerability will not be addressed, the maintainer's position is that it is not the intention of phpLDAPadmin to control what data Administrators can put in their LDAP database, nor filter it on export.

Remediation

Solution:

  • It is recommended that control characters at the beginning of character strings in cells are filtered before CSV export in order to avoid formula injection. As such functions always start with one of the following characters, these can be filtered specifically: - Equal (=) - Plus (+) - Minus (-) - At (@) - Tab (0x09) - Carriage return (0x0D) When filtering these special characters, care should be taken to ensure that not only the special characters in the first position are removed (for example in +-@=cmd|' /C calc.exe'!'A1'). Instead, all leading special characters up to the first legitimate character should be removed. As an alternative to the above-mentioned filtering, OWASP suggests also another sanitization method which includes three steps ( https://owasp.org/www-community/attacks/CSV_Injection ).

Workaround:

  • It is advised that the Office settings in clients are configured in such a way that Dynamic Data Exchange (DDE) is disabled.

Category

5.0
CVSS
Severity: Medium
CVSS 4.0 •
EPSS 0.18%
Third-Party Advisory redguard.ch
Affected: phpLDAPadmin phpLDAPadmin
Published at:
Updated at:

References

Link Tags
https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin/ third party advisory
https://github.com/leenooks/phpLDAPadmin/commit/ea17aadef46fd29850160987fe7740ceed1381ad#diff-93b9f3e6d4c5bdacf469ea0ec74c1e9217ca6272da9be5a1bfd711f7da16f9e3R240
https://sourceforge.net/projects/phpldapadmin/files/phpldapadmin-php5/1.2.0
https://github.com/leenooks/phpLDAPadmin/issues/274#issuecomment-2586859072

Frequently Asked Questions

What is the severity of CVE-2024-9102?
CVE-2024-9102 has been scored as a medium severity vulnerability.
How to fix CVE-2024-9102?
To fix CVE-2024-9102: It is recommended that control characters at the beginning of character strings in cells are filtered before CSV export in order to avoid formula injection. As such functions always start with one of the following characters, these can be filtered specifically: - Equal (=) - Plus (+) - Minus (-) - At (@) - Tab (0x09) - Carriage return (0x0D) When filtering these special characters, care should be taken to ensure that not only the special characters in the first position are removed (for example in +-@=cmd|' /C calc.exe'!'A1'). Instead, all leading special characters up to the first legitimate character should be removed. As an alternative to the above-mentioned filtering, OWASP suggests also another sanitization method which includes three steps ( https://owasp.org/www-community/attacks/CSV_Injection ).
Is CVE-2024-9102 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-9102 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-9102?
CVE-2024-9102 affects phpLDAPadmin phpLDAPadmin.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.