6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-25095

GHSA ID

GHSA-vq8w-x8v7-f88m

EPSS Score

0.21933%

CWE

CWE-79

Published

1/5/2023

Updated

9/27/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-25095

CVE-2019-25095: LdapCherry Cross-site Scripting vulnerbaility

A vulnerability, which was classified as problematic, was found in kakwa LdapCherry up to 0.x. Affected is an unknown function of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 1.0.0 is able to address this issue. The name of the patch is 6f98076281e9452fdb1adcd1bcbb70a6f968ade9. It is recommended to upgrade the affected component. VDB-217434 is the identifier assigned to this vulnerability.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-25095

GHSA ID

GHSA-vq8w-x8v7-f88m

EPSS Score

0.21933%

CWE

CWE-79

Published

1/5/2023

Updated

9/27/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ldapcherry	pip	< 1.0.0	1.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key patterns: 1) Use of base64 encoding (instead of URL-safe encoding) for user-controlled redirect URLs in _check_auth, which bypassed proper escaping. 2) Direct use of decoded URL parameters in login redirection without sanitization. The commit diff shows replacement of base64 with urllib.quote_plus and template escaping improvements, confirming these functions were the injection points. The templates' ${form} and ${roles} variables also lacked HTML escaping filters before the patch, but these are template-level issues rather than discrete functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility, w*i** w*s *l*ssi*i** *s pro*l*m*ti*, w*s *oun* in k*kw* L**p***rry up to *.x. *****t** is *n unknown *un*tion o* t** *ompon*nt URL **n*l*r. T** m*nipul*tion l***s to *ross sit* s*riptin*. It is possi*l* to l*un** t** *tt**k r*mot*ly.

Reasoning

T** vuln*r**ility st*ms *rom two k*y p*tt*rns: *) Us* o* **s*** *n*o*in* (inst*** o* URL-s*** *n*o*in*) *or us*r-*ontroll** r**ir**t URLs in _****k_*ut*, w*i** *yp*ss** prop*r *s**pin*. *) *ir**t us* o* ***o*** URL p*r*m*t*rs in lo*in r**ir**tion wit

6.1

Basic Information

Concerned about an active attack path?

CVE-2019-25095: LdapCherry Cross-site Scripting vulnerbaility

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI