CVE-2020-15259

Published: Nov 6, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

8.1

HIGH

Description

ad-ldap-connector's admin panel before version 5.0.13 does not provide csrf protection, which when exploited may result in remote code execution or confidential data loss. CSRF exploits may occur if the user visits a malicious page containing CSRF payload on the same machine that has access to the ad-ldap-connector admin console via a browser. You may be affected if you use the admin console included with ad-ldap-connector versions <=5.0.12. If you do not have ad-ldap-connector admin console enabled or do not visit any other public URL while on the machine it is installed on, you are not affected. The issue is fixed in version 5.0.13.

Vendor	Product	Versions
auth0	ad-ldap-connector	affected `< 0.0.1`

Weaknesses (CWE)

CWE-352

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/auth0/ad-ldap-connector/security/advisories/GHSA-vx5q-cp9v-427v

x_refsource_CONFIRM

https://github.com/auth0/ad-ldap-connector/commit/8b793631ec5ecacf63ff3ece23231a9e138ae911

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2020-15259

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References