CVE-2004-2254

SurgeLDAP 1.0g - Unauthenticated Authentication Bypass via Modified utoken Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2004-2254. PoCs published by GSS IT.

AI-analyzed exploit summary The exploit describes an authentication bypass vulnerability in SurgeLDAP's web administration application. By appending a specific URL parameter, an attacker can gain manager access without authentication.

Description

SurgeLDAP 1.0g (Build 12), and possibly other versions before 1.0h, allows remote attackers to bypass authentication for the administration interface via a direct request to admin.cgi with a modified utoken parameter.

Exploits (1)

exploitdb WRITEUP VERIFIED
by GSS IT · textwebappscgi
https://www.exploit-db.com/exploits/24094

The exploit describes an authentication bypass vulnerability in SurgeLDAP's web administration application. By appending a specific URL parameter, an attacker can gain manager access without authentication.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: SurgeLDAP (version not specified)
No auth needed
Prerequisites: Network access to the SurgeLDAP web administration interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Exploit, Patch vdb-entry x_refsource_sectrack
http://securitytracker.com/alerts/2004/May/1010113.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/16076
Exploit vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1010068
Exploit, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/11549
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/10294
Exploit, Patch vdb-entry x_refsource_osvdb
http://www.osvdb.org/5890

Scores

EPSS 0.0839
EPSS Percentile 94.3%

Details

Status published
Products (6)
netwin/surgeldap 1.0a
netwin/surgeldap 1.0b
netwin/surgeldap 1.0d
netwin/surgeldap 1.0e
netwin/surgeldap 1.0f
netwin/surgeldap 1.0g
Published Dec 31, 2004
Tracked Since Feb 18, 2026