exploitDog

CVE-2021-37935

Опубликовано: 10 дек. 2021

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

An information disclosure vulnerability in the login page of Huntflow Enterprise before 3.10.4 could allow an unauthenticated, remote user to get information about the domain name of the configured LDAP server. An attacker could exploit this vulnerability by requesting the login page and searching for the "isLdap" JavaScript parameter in the HTML source code.

Ссылки

https://gist.github.com/andrey-lomtev/c970fb7dd022d04f5b57ad37fbedd064
Third Party Advisory
https://gist.github.com/andrey-lomtev/c970fb7dd022d04f5b57ad37fbedd064
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:huntflow:huntflow_enterprise:*:*:*:*:*:*:*:*

Версия до 3.10.4 (включая)

EPSS

Процентиль: 63%

0.00452

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-200

Связанные уязвимости

GHSA-xv5r-jf97-8xjm

github

около 4 лет назад

An information disclosure vulnerability in the login page of Huntflow Enterprise before 3.10.4 could allow an unauthenticated, remote user to get information about the domain name of the configured LDAP server. An attacker could exploit this vulnerability by requesting the login page and searching for the "isLdap" JavaScript parameter in the HTML source code.

EPSS

Процентиль: 63%

0.00452

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-200