Coudot

**Name of the Vulnerable Software and Affected Versions** LTB (aka LDAP Tool Box) Self Service Password versions prior to 1.3 **Description** The issue allows a change to a user password without knowing the old password via a crafted POST request. This is due to the mishandling of the ldap bind return value and the lack of constraint on the PHP data type to be a string. **Recommendations** For versions prior to 1.3, update to version 1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the password change functionality until the update is applied.