Main Vulnerability Database Vulnerabilities #VU6864

LDAP injection in Drupal ldap - #VU6864

Published: May 31, 2017 / Updated: June 2, 2017

Vulnerability identifier: #VU6864

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Hendrik Grahl

Affected software:
Drupal ldap

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary LDAP queries.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted HTTP request to vulnerable script, execute arbitrary LDAP queries and obtain potentially sensitive information.

Remediation

Update to version 7.x-2.2.

Sources

https://www.drupal.org/node/2882805

LDAP injection in Drupal ldap - #VU6864

Detailed vulnerability description

Remediation

Sources

Please verify you're human