SurgeLDAP 1.0g (Build 12), and possibly other versions before 1.0h, allows remote attackers to bypass authentication for the administration interface via a direct request to admin.cgi with a modified utoken parameter.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Surgeldap | Netwin | 1.0f | 1.0f |
Surgeldap | Netwin | 1.0e | 1.0e |
Surgeldap | Netwin | 1.0b | 1.0b |
Surgeldap | Netwin | 1.0a | 1.0a |
Surgeldap | Netwin | 1.0g | 1.0g |
Surgeldap | Netwin | 1.0d | 1.0d |