CRITICAL🇵🇱 Wersja polska

CVE-2024-54852

CVSS 9.8v3.1pub. 2025-01-29upd. 2025-05-24

When LDAP connection is activated in Teedy versions between 1.9 to 1.12, the username field of the login form is vulnerable to LDAP injection. Due to improper sanitization of user input, an unauthenticated attacker is then able to perform various malicious actions, such as creating arbitrary accounts and spraying passwords.

🤖 AI Analysis
How it works

When LDAP server integration is enabled in Teedy, user input in the username field is not properly validated or sanitized before being passed to the LDAP query. An attacker can inject specially crafted character sequences (LDAP injection), manipulating the authentication query logic. As a result, it is possible to create arbitrary user accounts and conduct password spraying attacks on existing accounts.

Impact

An unauthenticated attacker can create arbitrary accounts in the system and conduct password spraying attacks, which may result in unauthorized access to the application and data stored within it.

Mitigation & patch

Patches available from the vendor should be applied in accordance with the references. As a temporary remediation measure until the update is deployed, it is recommended to disable LDAP integration in the application configuration.

Who is affected

Sismics Teedy versions 1.9 to 1.12 with activated LDAP integration.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Sismics Teedy

    APP
    Sismics
    1.9 – 1.12
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2022-22115CRITICAL9.0ten sam produkt

In Teedy, versions v1.5 through v1.9 are vulnerable to Stored Cross-Site Scripting (XSS) in the name of a crea...

CVE-2022-22114CRITICAL9.6ten sam produkt

In Teedy, versions v1.5 through v1.9 are vulnerable to Reflected Cross-Site Scripting (XSS). The “search term"...

CVE-2024-54851HIGH8.8ten sam produkt

Teedy <= 1.12 is vulnerable to Cross Site Request Forgery (CSRF), due to the lack of CSRF protection.

CVE-2025-22963HIGH7.5ten sam produkt

Teedy through 1.11 allows CSRF for account takeover via POST /api/user/admin.

CVE-2024-46278HIGH8.4ten sam produkt

Teedy 1.11 is vulnerable to Cross Site Scripting (XSS) via the management console.