CVE-2020-23148
HIGHrconfig 3.9.5 - LDAP Injection via userLogin Parameter
Title source: llmDescription
The userLogin parameter in ldap/login.php of rConfig 3.9.5 is unsanitized, allowing attackers to perform a LDAP injection and obtain sensitive information via a crafted POST request.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/rconfig/rconfig/blob/7ef8bd8d606bc10835e1b8f6f72a2048094816d3/www/ldap/authenticate.php#L34
Third Party Advisory x_refsource_misc
https://cwe.mitre.org/data/definitions/90.html
Scores
CVSS v3
7.5
EPSS
0.0162
EPSS Percentile
73.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-74
Status
published
Products (1)
rconfig/rconfig
3.9.5
Published
Aug 09, 2021
Tracked Since
Feb 18, 2026