CVE-2021-37933
HIGHHuntflow Enterprise < 3.10.6 - Unauthenticated LDAP Injection via Email Parameter
Title source: llmDescription
An LDAP injection vulnerability in /account/login in Huntflow Enterprise before 3.10.6 could allow an unauthenticated, remote user to modify the logic of an LDAP query and bypass authentication. The vulnerability is due to insufficient server-side validation of the email parameter before using it to construct LDAP queries. An attacker could bypass authentication exploiting this vulnerability by sending login attempts in which there is a valid password but a wildcard character in email parameter.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://gist.github.com/andrey-lomtev/cbf12bc8d8763996cf8d6d1641a0b049
Scores
CVSS v3
7.5
EPSS
0.0147
EPSS Percentile
70.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-74
Status
published
Products (1)
huntflow/huntflow_enterprise
< 3.10.6
Published
Oct 14, 2021
Tracked Since
Feb 18, 2026