| Titel | projectsend 35dfd6f08f7d517709c77ee73e57367141107e6b LDAP Injection |
|---|
| Beschreibung | The ldap_email parameter is interpolated directly into an LDAP search filter without sanitization via ldap_escape(). An attacker can append wildcard characters to manipulate the filter, causing the server to return different error messages depending on whether a user exists in the LDAP directory — enabling email enumeration without any account. |
|---|
| Quelle | ⚠️ https://drive.google.com/file/d/1TNwWNTcra2ykx0yXpATPmsPgJxIxOrWb/view?usp=sharing |
|---|
| Benutzer | 0xNayel (UID 80926) |
|---|
| Einreichung | 28.02.2026 10:59 (vor 1 Monat) |
|---|
| Moderieren | 12.03.2026 10:08 (12 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 350657 [projectsend bis r1945 Auth.php ldap_email Information Disclosure] |
|---|
| Punkte | 19 |
|---|