EspoCRM vulnerable to LDAP Injection through Improper Neutralization of Special Elements

July 21, 2025 invoker category_cve

CVE Details

Basic Information

Title EspoCRM vulnerable to LDAP Injection through Improper Neutralization of Special Elements
Type cve
Published 2025-07-21T17:48:11.466Z
Modified 2025-07-21T18:09:07.329Z

Product Information

Vendor espocrm
Product espocrm
Version < 9.1.7

CVSS Information

Base Score 6.5 (MEDIUM)
Attack Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Affected Products

  • espocrm espocrm < 9.1.7

Additional Information

CWE List CWE-90
Source GitHub_M

Description

EspoCRM is an Open Source CRM (Customer Relationship Management) software. EspoCRM versions 9.1.6 and earlier are vulnerable to blind LDAP Injection when LDAP authentication is enabled. A remote, unauthenticated attacker can manipulate LDAP queries by injecting crafted input containing wildcard characters (e.g., *). This may allow the attacker to bypass authentication controls, enumerate valid usernames, or retrieve sensitive directory information depending on the LDAP server configuration. This was fixed in version 9.1.7.

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.