CVE-2021-37935
HIGHHuntflow Enterprise < 3.10.4 - Unauthenticated LDAP Server Domain Disclosure via Login Page
Title source: llmDescription
An information disclosure vulnerability in the login page of Huntflow Enterprise before 3.10.4 could allow an unauthenticated, remote user to get information about the domain name of the configured LDAP server. An attacker could exploit this vulnerability by requesting the login page and searching for the "isLdap" JavaScript parameter in the HTML source code.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://gist.github.com/andrey-lomtev/c970fb7dd022d04f5b57ad37fbedd064
Scores
CVSS v3
7.5
EPSS
0.0137
EPSS Percentile
68.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (1)
huntflow/huntflow_enterprise
< 3.10.4
Published
Dec 10, 2021
Tracked Since
Feb 18, 2026