PT-2021-21925 · Unknown · Huntflow Enterprise

Andrey Lomtev

Published

2021-10-14

Updated

2021-10-20

CVE-2021-37933

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions: Huntflow Enterprise versions prior to 3.10.6

Description: The issue is related to an LDAP injection vulnerability in the /account/login endpoint. It allows an unauthenticated, remote user to modify the logic of an LDAP query and bypass authentication due to insufficient server-side validation of the email parameter. An attacker could exploit this by sending login attempts with a valid password and a wildcard character in the email parameter.

Recommendations: For versions prior to 3.10.6, update to version 3.10.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the /account/login endpoint or validating the email parameter on the client-side to minimize the risk of exploitation.

Exploit

Fix

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74

Related Identifiers

CVE-2021-37933

Affected Products

Huntflow Enterprise

PT-2021-21925 · Unknown · Huntflow Enterprise

CVE-2021-37933

Weakness Enumeration

Related Identifiers

Affected Products

References · 4