CVE-2021-37935

{"id": "CVE-2021-37935", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2021-12-10T17:15:07.637", "references": [{"url": "https://gist.github.com/andrey-lomtev/c970fb7dd022d04f5b57ad37fbedd064", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://gist.github.com/andrey-lomtev/c970fb7dd022d04f5b57ad37fbedd064", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "An information disclosure vulnerability in the login page of Huntflow Enterprise before 3.10.4 could allow an unauthenticated, remote user to get information about the domain name of the configured LDAP server. An attacker could exploit this vulnerability by requesting the login page and searching for the \"isLdap\" JavaScript parameter in the HTML source code."}, {"lang": "es", "value": "Una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en la p\u00e1gina de inicio de sesi\u00f3n de Huntflow Enterprise versiones anteriores a 3.10.4, podr\u00eda permitir a un usuario remoto no autenticado conseguir informaci\u00f3n sobre el nombre de dominio del servidor LDAP configurado. Un atacante podr\u00eda aprovechar esta vulnerabilidad al solicitar la p\u00e1gina de inicio de sesi\u00f3n y buscando el par\u00e1metro JavaScript \"isLdap\" en el c\u00f3digo fuente HTML"}], "lastModified": "2024-11-21T06:16:06.100", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:huntflow:huntflow_enterprise:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B395E384-706F-4EEE-8127-4D413D8CEE53", "versionEndIncluding": "3.10.4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}