CVE-2024-54852
Published: 29 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-54852 is an LDAP injection vulnerability (CWE-90) in Teedy versions 1.9 through 1.12 when LDAP connection is activated. The flaw arises from improper sanitization of user input in the username field of the login form, enabling injection of malicious LDAP queries. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to its network accessibility and lack of prerequisites.
An unauthenticated attacker can exploit the vulnerability remotely by submitting crafted input to the login form's username field. Successful exploitation allows various malicious LDAP actions, including creating arbitrary accounts and performing password spraying.
Advisories and further details, including potential mitigation guidance, are available in the referenced GitHub repository at https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54852/README.md.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
LDAP injection in the public-facing login form enables unauthenticated exploitation (T1190), arbitrary account creation (T1136), and password spraying (T1110.003).