Total
19 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-5730 | 4 Debian, Fedoraproject, Mit and 1 more | 6 Debian Linux, Fedora, Kerberos 5 and 3 more | 2024-11-21 | 5.5 MEDIUM | 3.8 LOW |
| MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN. | |||||
| CVE-2017-8790 | 1 Accellion | 1 File Transfer Appliance | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Accellion FTA devices before FTA_9_12_180. The home/seos/courier/ldaptest.html POST parameter "filter" can be used for LDAP Injection. | |||||
| CVE-2017-4927 | 1 Vmware | 1 Vcenter Server | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| VMware vCenter Server (6.5 prior to 6.5 U1 and 6.0 prior to 6.0 U3c) does not correctly handle specially crafted LDAP network packets which may allow for remote denial of service. | |||||
| CVE-2017-14596 | 1 Joomla | 1 Joomla\! | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| In Joomla! before 3.8.0, inadequate escaping in the LDAP authentication plugin can result in a disclosure of a username and password. | |||||
| CVE-2016-9870 | 1 Emc | 1 Isilon Onefs | 2024-11-21 | 7.2 HIGH | 6.7 MEDIUM |
| EMC Isilon OneFS 8.0.0.0, EMC Isilon OneFS 7.2.1.0 - 7.2.1.2, EMC Isilon OneFS 7.2.0.x, EMC Isilon OneFS 7.1.1.0 - 7.1.1.10, and EMC Isilon OneFS 7.1.0.x is affected by an LDAP injection vulnerability that could potentially be exploited by a malicious user to compromise the system. | |||||
| CVE-2016-9299 | 2 Fedoraproject, Jenkins | 2 Fedora, Jenkins | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server. | |||||
| CVE-2016-8750 | 1 Apache | 1 Karaf | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate users to a directory via LDAP. However, it did not encoding usernames properly and hence was vulnerable to LDAP injection attacks leading to a denial of service. | |||||
| CVE-2015-7294 | 1 Ldapauth-fork Project | 1 Ldapauth-fork | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| ldapauth-fork before 2.3.3 allows remote attackers to perform LDAP injection attacks via a crafted username. | |||||
| CVE-2011-4069 | 1 Packetfence | 1 Packetfence | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| html/admin/login.php in PacketFence before 3.0.2 allows remote attackers to conduct LDAP injection attacks and consequently bypass authentication via a crafted username. | |||||
| CVE-2024-27310 | 2024-10-07 | N/A | 5.3 MEDIUM | ||
| Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input. | |||||
| CVE-2024-33868 | 2024-09-15 | N/A | 9.8 CRITICAL | ||
| An issue was discovered in linqi before 1.4.0.1 on Windows. There is LDAP injection. | |||||
| CVE-2023-6905 | 1 Nxfilter | 1 Nxfilter | 2024-05-17 | 4.0 MEDIUM | 9.8 CRITICAL |
| A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5. This issue affects some unknown processing of the file user,adap.jsp?actionFlag=test&id=1 of the component Bind Request Handler. The manipulation leads to ldap injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-248267. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2015-10027 | 1 Ttrrs-auth-ldap Project | 1 Ttrrs-auth-ldap | 2024-05-17 | 4.9 MEDIUM | 9.8 CRITICAL |
| A vulnerability, which was classified as problematic, has been found in hydrian TTRSS-Auth-LDAP. Affected by this issue is some unknown functionality of the component Username Handler. The manipulation leads to ldap injection. Upgrading to version 2.0b1 is able to address this issue. The patch is identified as a7f7a5a82d9202a5c40d606a5c519ba61b224eb8. It is recommended to upgrade the affected component. VDB-217622 is the identifier assigned to this vulnerability. | |||||
| CVE-2021-41232 | 1 Thunderdome | 1 Planning Poker | 2024-02-08 | 7.5 HIGH | 9.8 CRITICAL |
| Thunderdome is an open source agile planning poker tool in the theme of Battling for points. In affected versions there is an LDAP injection vulnerability which affects instances with LDAP authentication enabled. The provided username is not properly escaped. This issue has been patched in version 1.16.3. If users are unable to update they should disable the LDAP feature if in use. | |||||
| CVE-2023-51446 | 1 Glpi-project | 1 Glpi | 2024-02-07 | N/A | 8.1 HIGH |
| GLPI is a Free Asset and IT Management Software package. When authentication is made against a LDAP, the authentication form can be used to perform LDAP injection. Upgrade to 10.0.12. | |||||
| CVE-2023-28853 | 1 Joinmastodon | 1 Mastodon | 2024-02-04 | N/A | 6.5 MEDIUM |
| Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2. | |||||
| CVE-2023-3447 | 1 Miniorange | 1 Active Directory Integration \/ Ldap Integration | 2024-02-04 | N/A | 7.5 HIGH |
| The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Injection in versions up to, and including, 4.1.5. This is due to insufficient escaping on the supplied username value. This makes it possible for unauthenticated attackers to extract potentially sensitive information from the LDAP directory. | |||||
| CVE-2021-32651 | 1 Onedev Project | 1 Onedev | 2024-02-04 | 4.3 MEDIUM | 4.3 MEDIUM |
| OneDev is a development operations platform. If the LDAP external authentication mechanism is enabled in OneDev versions 4.4.1 and prior, an attacker can manipulate a user search filter to send forged queries to the application and explore the LDAP tree using Blind LDAP Injection techniques. The specific payload depends on how the User Search Filter property is configured in OneDev. This issue was fixed in version 4.4.2. | |||||
| CVE-2019-4297 | 1 Ibm | 1 Robotic Process Automation With Automation Anywhere | 2024-02-04 | 5.5 MEDIUM | 5.4 MEDIUM |
| IBM Robotic Process Automation with Automation Anywhere 11 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability to make unauthorized queries or modify the LDAP content. IBM X-Force ID: 160761. | |||||