Yotizj13

**Name of the Vulnerable Software and Affected Versions** EspoCRM versions 9.1.6 and earlier **Description** EspoCRM is an Open Source CRM (Customer Relationship Management) software. Versions 9.1.6 and earlier are vulnerable to blind LDAP Injection when LDAP authentication is enabled. A remote, unauthenticated attacker can manipulate LDAP queries by injecting crafted input containing wildcard characters (e.g., *). This may allow the attacker to bypass authentication controls, enumerate valid usernames, or retrieve sensitive directory information depending on the LDAP server configuration. **Recommendations** Update to version 9.1.7 or later.