CVE-2018-12421

CRITICAL

LTB Self Service Password <1.3 - Auth Bypass

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-12421. PoCs published by reversebrain.

AI-analyzed exploit summary The repository contains a minimal bash script that sends a POST request with password change parameters, but lacks context or exploitation details for CVE-2018-12421. The README provides no additional information.

Description

LTB (aka LDAP Tool Box) Self Service Password before 1.3 allows a change to a user password (without knowing the old password) via a crafted POST request, because the ldap_bind return value is mishandled and the PHP data type is not constrained to be a string.

Exploits (1)

nomisec STUB 1 stars

by reversebrain · poc

https://github.com/reversebrain/CVE-2018-12421

View Code ZIP pw:eip

The repository contains a minimal bash script that sends a POST request with password change parameters, but lacks context or exploitation details for CVE-2018-12421. The README provides no additional information.

Classification

Stub 30%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

Auth required

Prerequisites: target endpoint URL · valid session/credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory x_refsource_misc

https://github.com/ltb-project/self-service-password/issues/211

Mailing List, Patch, Vendor Advisory x_refsource_misc

https://lists.ltb-project.org/pipermail/ltb-announce/2018-June/000023.html

Third Party Advisory x_refsource_misc

https://github.com/ltb-project/self-service-password/issues/209

Scores

CVSS v3 9.8

EPSS 0.0276

EPSS Percentile 84.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-640

Status published

Products (1)

ltb-project/ldap_tool_box_self_service_password < 1.3

Published Jun 14, 2018

Tracked Since Feb 18, 2026