CVE-2024-54852 - Vulnerability Details - OpenCVE

When LDAP connection is activated in Teedy versions between 1.9 to 1.12, the username field of the login form is vulnerable to LDAP injection. Due to improper sanitization of user input, an unauthenticated attacker is then able to perform various malicious actions, such as creating arbitrary accounts and spraying passwords.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact total

Vendors	Products
Sismics	Teedy

Configuration 1 [-]

cpe:2.3:a:sismics:teedy:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54852/README.md

History

Sat, 24 May 2025 01:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sismics Sismics teedy
CPEs		cpe:2.3:a:sismics:teedy::::::::
Vendors & Products		Sismics Sismics teedy

Mon, 10 Feb 2025 22:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-90
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 29 Jan 2025 21:45:00 +0000

Type	Values Removed	Values Added
Description		When LDAP connection is activated in Teedy versions between 1.9 to 1.12, the username field of the login form is vulnerable to LDAP injection. Due to improper sanitization of user input, an unauthenticated attacker is then able to perform various malicious actions, such as creating arbitrary accounts and spraying passwords.
References		https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54852/README.md

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2025-01-29T00:00:00.000Z

Updated: 2025-02-10T22:11:34.342Z

Reserved: 2024-12-06T00:00:00.000Z

Link: CVE-2024-54852

Vulnrichment

Updated: 2025-02-03T18:33:31.852Z

NVD

Status : Analyzed

Published: 2025-01-29T22:15:29.723

Modified: 2025-05-24T01:14:43.543

Link: CVE-2024-54852

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-54852", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-02-10T22:11:34.342Z", "dateReserved": "2024-12-06T00:00:00.000Z", "datePublished": "2025-01-29T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-01-29T21:27:43.679Z"}, "descriptions": [{"lang": "en", "value": "When LDAP connection is activated in Teedy versions between 1.9 to 1.12, the username field of the login form is vulnerable to LDAP injection. Due to improper sanitization of user input, an unauthenticated attacker is then able to perform various malicious actions, such as creating arbitrary accounts and spraying passwords."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54852/README.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-90", "lang": "en", "description": "CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"}]}], "references": [{"url": "https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54852/README.md", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-02-03T18:22:15.775150Z", "id": "CVE-2024-54852", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-10T22:11:34.342Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-54852", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-03T18:22:15.775150Z"}}}], "references": [{"url": "https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54852/README.md", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-90", "description": "CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-03T18:33:31.852Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54852/README.md"}], "descriptions": [{"lang": "en", "value": "When LDAP connection is activated in Teedy versions between 1.9 to 1.12, the username field of the login form is vulnerable to LDAP injection. Due to improper sanitization of user input, an unauthenticated attacker is then able to perform various malicious actions, such as creating arbitrary accounts and spraying passwords."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-01-29T21:27:43.679Z"}}}, "cveMetadata": {"cveId": "CVE-2024-54852", "state": "PUBLISHED", "dateUpdated": "2025-02-10T22:11:34.342Z", "dateReserved": "2024-12-06T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-01-29T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sismics:teedy:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A8D78C9-F89D-420E-BBF4-F2C76E114ECF", "versionEndIncluding": "1.12", "versionStartIncluding": "1.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When LDAP connection is activated in Teedy versions between 1.9 to 1.12, the username field of the login form is vulnerable to LDAP injection. Due to improper sanitization of user input, an unauthenticated attacker is then able to perform various malicious actions, such as creating arbitrary accounts and spraying passwords."}, {"lang": "es", "value": "Cuando se activa la conexi\u00f3n LDAP en las versiones de Teedy entre 1.9 y 1.12, el campo de nombre de usuario del formulario de inicio de sesi\u00f3n es vulnerable a la inyecci\u00f3n LDAP. Debido a la introducci\u00f3n incorrecta de desinfecci\u00f3n en la entrada del usuario, un atacante no autenticado puede realizar varias acciones maliciosas, como crear cuentas arbitrarias y difundir contrase\u00f1as."}], "id": "CVE-2024-54852", "lastModified": "2025-05-24T01:14:43.543", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-01-29T22:15:29.723", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54852/README.md"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Tanguy-Boisset/CVE/blob/master/CVE-2024-54852/README.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-90"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}