CVE-2024-54852

When LDAP connection is activated in Teedy versions between 1.9 to 1.12, the username field of the login form is vulnerable to LDAP injection. Due to improper sanitization of user input, an unauthenticated attacker is then able to perform various malicious actions, such as creating arbitrary accounts and spraying passwords.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54852/README.md	Exploit Third Party Advisory
https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54852/README.md	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sismics:teedy:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-01-29 22:15

Updated : 2025-05-24 01:14

NVD link : CVE-2024-54852

Mitre link : CVE-2024-54852

CVE.ORG link : CVE-2024-54852

JSON object : View

Products Affected

sismics

teedy

CWE

CWE-90

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

{"id": "CVE-2024-54852", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-01-29T22:15:29.723", "references": [{"url": "https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54852/README.md", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54852/README.md", "tags": ["Exploit", "Third Party Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-90"}]}], "descriptions": [{"lang": "en", "value": "When LDAP connection is activated in Teedy versions between 1.9 to 1.12, the username field of the login form is vulnerable to LDAP injection. Due to improper sanitization of user input, an unauthenticated attacker is then able to perform various malicious actions, such as creating arbitrary accounts and spraying passwords."}, {"lang": "es", "value": "Cuando se activa la conexi\u00f3n LDAP en las versiones de Teedy entre 1.9 y 1.12, el campo de nombre de usuario del formulario de inicio de sesi\u00f3n es vulnerable a la inyecci\u00f3n LDAP. Debido a la introducci\u00f3n incorrecta de desinfecci\u00f3n en la entrada del usuario, un atacante no autenticado puede realizar varias acciones maliciosas, como crear cuentas arbitrarias y difundir contrase\u00f1as."}], "lastModified": "2025-05-24T01:14:43.543", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sismics:teedy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6A8D78C9-F89D-420E-BBF4-F2C76E114ECF", "versionEndIncluding": "1.12", "versionStartIncluding": "1.9"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}