CVE-2024-54852

CRITICAL

Sismics Teedy < 1.12 - LDAP Injection

Title source: rule

Description

When LDAP connection is activated in Teedy versions between 1.9 to 1.12, the username field of the login form is vulnerable to LDAP injection. Due to improper sanitization of user input, an unauthenticated attacker is then able to perform various malicious actions, such as creating arbitrary accounts and spraying passwords.

References (1)

[Exploit, Third Party Advisory] https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54852/README.md

View Exploit ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0013

EPSS Percentile 31.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-90

Status published

Products (1)

sismics/teedy 1.9 - 1.12

Published Jan 29, 2025

Tracked Since Feb 18, 2026