Lucene search

K
nvd[email protected]NVD:CVE-2024-37393
HistoryJun 10, 2024 - 8:15 p.m.

CVE-2024-37393

2024-06-1020:15:15
CWE-319
CWE-89
web.nvd.nist.gov
12
securenvoy mfa
ldap injection
active directory
laps
cleartext password
remote attacker
vulnerability
exfiltration

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.013

Percentile

85.9%

Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.

Affected configurations

Nvd
Node
securenvoymulti-factor_authentication_solutionsRange<9.4.514
VendorProductVersionCPE
securenvoymulti-factor_authentication_solutions*cpe:2.3:a:securenvoy:multi-factor_authentication_solutions:*:*:*:*:*:*:*:*

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.013

Percentile

85.9%