Total
32 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-45910 | 1 Apache | 1 Manifoldcf | 2025-04-22 | N/A | 5.3 MEDIUM |
| Improper neutralization of special elements used in an LDAP query ('LDAP Injection') vulnerability in ActiveDirectory and Sharepoint ActiveDirectory authority connectors of Apache ManifoldCF allows an attacker to manipulate the LDAP search queries (DoS, additional queries, filter manipulation) during user lookup, if the username or the domain string are passed to the UserACLs servlet without validation. This issue affects Apache ManifoldCF version 2.23 and prior versions. | |||||
| CVE-2015-7294 | 1 Ldapauth-fork Project | 1 Ldapauth-fork | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| ldapauth-fork before 2.3.3 allows remote attackers to perform LDAP injection attacks via a crafted username. | |||||
| CVE-2016-9870 | 1 Emc | 1 Isilon Onefs | 2025-04-20 | 7.2 HIGH | 6.7 MEDIUM |
| EMC Isilon OneFS 8.0.0.0, EMC Isilon OneFS 7.2.1.0 - 7.2.1.2, EMC Isilon OneFS 7.2.0.x, EMC Isilon OneFS 7.1.1.0 - 7.1.1.10, and EMC Isilon OneFS 7.1.0.x is affected by an LDAP injection vulnerability that could potentially be exploited by a malicious user to compromise the system. | |||||
| CVE-2017-14596 | 1 Joomla | 1 Joomla\! | 2025-04-20 | 5.0 MEDIUM | 9.8 CRITICAL |
| In Joomla! before 3.8.0, inadequate escaping in the LDAP authentication plugin can result in a disclosure of a username and password. | |||||
| CVE-2017-4927 | 1 Vmware | 1 Vcenter Server | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| VMware vCenter Server (6.5 prior to 6.5 U1 and 6.0 prior to 6.0 U3c) does not correctly handle specially crafted LDAP network packets which may allow for remote denial of service. | |||||
| CVE-2017-8790 | 1 Accellion | 1 File Transfer Appliance | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Accellion FTA devices before FTA_9_12_180. The home/seos/courier/ldaptest.html POST parameter "filter" can be used for LDAP Injection. | |||||
| CVE-2016-9299 | 2 Fedoraproject, Jenkins | 2 Fedora, Jenkins | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server. | |||||
| CVE-2025-27686 | 2025-04-07 | N/A | 2.7 LOW | ||
| Dell Unisphere for PowerMax, version(s) prior to 10.2.0.9 and PowerMax version(s) prior to PowerMax 9.2.4.15, contain an Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Script injection. | |||||
| CVE-2025-27631 | 2025-03-27 | N/A | 6.5 MEDIUM | ||
| The TRMTracker web application is vulnerable to LDAP injection attack potentially allowing an attacker to inject code into a query and execute remote commands that can read and update data on the website. | |||||
| CVE-2022-4254 | 2 Fedoraproject, Redhat | 13 Sssd, Enterprise Linux, Enterprise Linux Desktop and 10 more | 2025-03-27 | N/A | 8.8 HIGH |
| sssd: libsss_certmap fails to sanitise certificate data used in LDAP filters | |||||
| CVE-2024-54852 | 2025-02-10 | N/A | 9.8 CRITICAL | ||
| When LDAP connection is activated in Teedy versions between 1.9 to 1.12, the username field of the login form is vulnerable to LDAP injection. Due to improper sanitization of user input, an unauthenticated attacker is then able to perform various malicious actions, such as creating arbitrary accounts and spraying passwords. | |||||
| CVE-2024-56841 | 2025-01-14 | N/A | 7.4 HIGH | ||
| A vulnerability has been identified in Mendix LDAP (All versions < V1.1.2). Affected versions of the module are vulnerable to LDAP injection. This could allow an unauthenticated remote attacker to bypass username verification. | |||||
| CVE-2024-27310 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-11-27 | N/A | 5.3 MEDIUM |
| Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input. | |||||
| CVE-2024-33868 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| An issue was discovered in linqi before 1.4.0.1 on Windows. There is LDAP injection. | |||||
| CVE-2023-6905 | 1 Nxfilter | 1 Nxfilter | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5. This issue affects some unknown processing of the file user,adap.jsp?actionFlag=test&id=1 of the component Bind Request Handler. The manipulation leads to ldap injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-248267. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-51446 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A | 5.9 MEDIUM |
| GLPI is a Free Asset and IT Management Software package. When authentication is made against a LDAP, the authentication form can be used to perform LDAP injection. Upgrade to 10.0.12. | |||||
| CVE-2023-31025 | 1 Nvidia | 2 Dgx A100, Dgx A100 Firmware | 2024-11-21 | N/A | 6.5 MEDIUM |
| NVIDIA DGX A100 BMC contains a vulnerability where an attacker may cause an LDAP user injection. A successful exploit of this vulnerability may lead to information disclosure. | |||||
| CVE-2023-29050 | 1 Open-xchange | 1 Ox App Suite | 2024-11-21 | N/A | 7.6 HIGH |
| The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy. Unauthorized users could break confidentiality of information in the directory and potentially cause high load on the directory server, leading to denial of service. Encoding has been added for user-provided fragments that are used when constructing the LDAP query. No publicly available exploits are known. | |||||
| CVE-2023-28853 | 1 Joinmastodon | 1 Mastodon | 2024-11-21 | N/A | 7.7 HIGH |
| Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection attack to leak arbitrary attributes from LDAP database. This issue is fixed in versions 3.5.8, 4.0.4, and 4.1.2. | |||||
| CVE-2021-43782 | 1 Enalean | 1 Tuleap | 2024-11-21 | 6.0 MEDIUM | 6.7 MEDIUM |
| Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. This is a follow up to GHSA-887w-pv2r-x8pm/CVE-2021-41276, the initial fix was incomplete. Tuleap does not sanitize properly the search filter built from the ldap_id attribute of a user during the daily synchronization. A malicious user could force accounts to be suspended or take over another account by forcing the update of the ldap_uid attribute. Note that the malicious user either need to have site administrator capability on the Tuleap instance or be an LDAP operator with the capability to create/modify account. The Tuleap instance needs to have the LDAP plugin activated and enabled for this issue to be exploitable. The following versions contain the fix: Tuleap Community Edition 13.2.99.83, Tuleap Enterprise Edition 13.1-6, and Tuleap Enterprise Edition 13.2-4. | |||||