FKIE_CVE-2024-54852

Vulnerability from fkie_nvd - Published: 2025-01-29 22:15 - Updated: 2025-05-24 01:14
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
When LDAP connection is activated in Teedy versions between 1.9 to 1.12, the username field of the login form is vulnerable to LDAP injection. Due to improper sanitization of user input, an unauthenticated attacker is then able to perform various malicious actions, such as creating arbitrary accounts and spraying passwords.
References
cve@mitre.orghttps://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54852/README.mdExploit, Third Party Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54852/README.mdExploit, Third Party Advisory
Impacted products
Vendor Product Version
sismics teedy *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sismics:teedy:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6A8D78C9-F89D-420E-BBF4-F2C76E114ECF",
              "versionEndIncluding": "1.12",
              "versionStartIncluding": "1.9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "When LDAP connection is activated in Teedy versions between 1.9 to 1.12, the username field of the login form is vulnerable to LDAP injection. Due to improper sanitization of user input, an unauthenticated attacker is then able to perform various malicious actions, such as creating arbitrary accounts and spraying passwords."
    },
    {
      "lang": "es",
      "value": "Cuando se activa la conexi\u00f3n LDAP en las versiones de Teedy entre 1.9 y 1.12, el campo de nombre de usuario del formulario de inicio de sesi\u00f3n es vulnerable a la inyecci\u00f3n LDAP. Debido a la introducci\u00f3n incorrecta de desinfecci\u00f3n en la entrada del usuario, un atacante no autenticado puede realizar varias acciones maliciosas, como crear cuentas arbitrarias y difundir contrase\u00f1as."
    }
  ],
  "id": "CVE-2024-54852",
  "lastModified": "2025-05-24T01:14:43.543",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-01-29T22:15:29.723",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54852/README.md"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54852/README.md"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-90"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.