An LDAP injection vulnerability in /account/login in Huntflow Enterprise prior to 3.10.6 could allow an unauthenticated, remote user to modify the logic of an LDAP query and bypass authentication. The vulnerability is due to insufficient server-side validation of the email parameter before using it to construct LDAP queries. An attacker could bypass authentication exploiting this vulnerability by sending login attempts in which there is a valid password but a wildcard character in email parameter.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
huntflow huntflow enterprise |