andrey-lomtev
andrey-lomtev
/ CVE-2021-37933
Last active
October 13, 2021 15:03
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE-2021-37933 | |
| ------------------------------------------ | |
| LDAP injection | |
| ------------------------------------------ | |
| [Suggested description] | |
| An LDAP injection vulnerability in /account/login in Huntflow Enterprise before 3.10.6 could allow an unauthenticated, remote user to modify the logic of an LDAP query and bypass authentication. The vulnerability is due to insufficient server-side validation of the email parameter before using it to construct LDAP queries. An attacker could bypass authentication exploiting this vulnerability by sending login attempts in which there is a valid password but a wildcard character in email parameter. | |
| ------------------------------------------ |
andrey-lomtev
/ CVE-2021-37934
Last active
December 7, 2021 12:08
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE-2021-37934 | |
| ------------------------------------------ | |
| Insufficient server-side login-attempt limit | |
| ------------------------------------------ | |
| [Suggested description] | |
| Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force password guessing. | |
| ------------------------------------------ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE-2021-37935 | |
| ------------------------------------------ | |
| Disclose of LDAP server's domain name | |
| ------------------------------------------ | |
| [Suggested description] | |
| An information disclosure vulnerability in the login page of Huntflow Enterprise before 3.10.4 could allow an unauthenticated, remote user to get information about the domain name of the configured LDAP server. An attacker could exploit this vulnerability by requesting the login page and searching for the "isLdap" JavaScript parameter in the HTML source code. | |
| ------------------------------------------ |