LDAP Tool Box Self Service Password before 1.3 - Unauthenticated Password Change Vulnerability

LDAP Tool Box Self Service Password before 1.3 - Unauthenticated Password Change Vulnerability

CVE-2018-12421 · MEDIUM Severity

AV:N/AC:L/AU:N/C:P/I:N/A:N

LTB (aka LDAP Tool Box) Self Service Password before 1.3 allows a change to a user password (without knowing the old password) via a crafted POST request, because the ldap_bind return value is mishandled and the PHP data type is not constrained to be a string.

Learn more about our Cis Benchmark Audit For Bind.