CVE-2018-12421

Name of the Vulnerable Software and Affected Versions LTB (aka LDAP Tool Box) Self Service Password versions prior to 1.3

Description The issue allows a change to a user password without knowing the old password via a crafted POST request. This is due to the mishandling of the ldap bind return value and the lack of constraint on the PHP data type to be a string.

Recommendations For versions prior to 1.3, update to version 1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the password change functionality until the update is applied.