← Voltar para CVEs

CVE-2018-12421

N/A

Descricao

LTB (aka LDAP Tool Box) Self Service Password before 1.3 allows a change to a user password (without knowing the old password) via a crafted POST request, because the ldap_bind return value is mishandled and the PHP data type is not constrained to be a string.

Detalhes CVE

Pontuacao CVSS v3.1N/A

Publicado6/14/2018

Ultima modificacao11/21/2024

Fontenvd

Avistamentos honeypot0

Produtos afetados

ltb-project:ldap_tool_box_self_service_password

Fraquezas (CWE)

CWE-640

Referencias

https://github.com/ltb-project/self-service-password/issues/209(cve@mitre.org)

https://github.com/ltb-project/self-service-password/issues/211(cve@mitre.org)

https://lists.ltb-project.org/pipermail/ltb-announce/2018-June/000023.html(cve@mitre.org)

https://github.com/ltb-project/self-service-password/issues/209(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/ltb-project/self-service-password/issues/211(af854a3a-2127-422b-91ae-364da2661108)

https://lists.ltb-project.org/pipermail/ltb-announce/2018-June/000023.html(af854a3a-2127-422b-91ae-364da2661108)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.