CVE-2024-54852

When LDAP connection is activated in Teedy versions between 1.9 to 1.12, the username field of the login form is vulnerable to LDAP injection. Due to improper sanitization of user input, an unauthenticated attacker is then able to perform various malicious actions, such as creating arbitrary accounts and spraying passwords.
LDAP Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 39%
VendorProductVersion
sismicsteedy
1.9 ≤
𝑥
≤ 1.12
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54852/README.md
https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54852/README.md