← Back to CVEs

CVE-2018-12421

N/A

Description

LTB (aka LDAP Tool Box) Self Service Password before 1.3 allows a change to a user password (without knowing the old password) via a crafted POST request, because the ldap_bind return value is mishandled and the PHP data type is not constrained to be a string.

CVE Details

CVSS v3.1 ScoreN/A

Published6/14/2018

Last Modified11/21/2024

Sourcenvd

Honeypot Sightings0

Affected Products

ltb-project:ldap_tool_box_self_service_password

Weaknesses (CWE)

CWE-640

References

https://github.com/ltb-project/self-service-password/issues/209(cve@mitre.org)

https://github.com/ltb-project/self-service-password/issues/211(cve@mitre.org)

https://lists.ltb-project.org/pipermail/ltb-announce/2018-June/000023.html(cve@mitre.org)

https://github.com/ltb-project/self-service-password/issues/209(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/ltb-project/self-service-password/issues/211(af854a3a-2127-422b-91ae-364da2661108)

https://lists.ltb-project.org/pipermail/ltb-announce/2018-June/000023.html(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.