Design/Logic Flaw

2024-01-0809:15:00

PRIOn knowledge base

www.prio-n.com

ldap

abuse risk

unauthorized access

confidentiality

denial of service

encoding

6.8 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

41.9%

JSON

The optional “LDAP contacts provider” could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy. Unauthorized users could break confidentiality of information in the directory and potentially cause high load on the directory server, leading to denial of service. Encoding has been added for user-provided fragments that are used when constructing the LDAP query. No publicly available exploits are known.

CPENameOperatorVersion
ox_app_suiteeq7.10.6 rev1
ox_app_suiteeq7.10.6 rev2
ox_app_suiteeq7.10.6 rev3
ox_app_suiteeq7.10.6 rev4
ox_app_suiteeq7.10.6 rev5
ox_app_suiteeq7.10.6 rev6
ox_app_suiteeq7.10.6 rev7
ox_app_suiteeq7.10.6 rev8
ox_app_suiteeq7.10.6 rev9
ox_app_suiteeq7.10.6 rev10

Name	Operator	Version
ox_app_suite	eq	7.10.6 rev1
ox_app_suite	eq	7.10.6 rev2
ox_app_suite	eq	7.10.6 rev3
ox_app_suite	eq	7.10.6 rev4
ox_app_suite	eq	7.10.6 rev5
ox_app_suite	eq	7.10.6 rev6
ox_app_suite	eq	7.10.6 rev7
ox_app_suite	eq	7.10.6 rev8
ox_app_suite	eq	7.10.6 rev9
ox_app_suite	eq	7.10.6 rev10