CVE-2020-35775
Description
CITSmart before 9.1.2.23 allows LDAP Injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CITSmart ITSM before 9.1.2.23 is vulnerable to LDAP injection via unsanitized user input in LDAP queries.
Vulnerability
CITSmart ITSM versions prior to 9.1.2.23 contain an LDAP injection vulnerability in the LDAP integration module. The flaw resides in the LDAPUtils.java file [1], where user-supplied input is concatenated directly into LDAP query strings without proper sanitization or parameterization. This allows an attacker to inject arbitrary LDAP filter syntax.
Exploitation
An attacker can exploit this vulnerability by sending specially crafted input to any CITSmart endpoint that uses LDAP queries, such as authentication or user lookup functions. No prior authentication is required if the vulnerable endpoint is exposed. The attacker injects LDAP metacharacters (e.g., *, |, &, !) to alter the query logic, potentially bypassing authentication or extracting directory information [2].
Impact
Successful exploitation enables an attacker to bypass authentication, enumerate LDAP directory entries, or gain unauthorized access to the CITSmart system. This can lead to disclosure of sensitive user information and privilege escalation, compromising the confidentiality and integrity of the affected instance.
Mitigation
Upgrade to CITSmart version 9.1.2.23 or later, which includes the fix for this vulnerability [2]. No official workaround has been published. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- CITSmart/CITSmartdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- packetstormsecurity.com/files/162181/CITSmart-ITSM-9.1.2.22-LDAP-Injection.htmlmitrex_refsource_MISC
- citsmart.com.br/solucoes/itsm-2/mitrex_refsource_MISC
- docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.htmlmitrex_refsource_CONFIRM
- github.com/nardnet/citsmart/blob/master/WEB-INF/src/br/com/centralit/citcorpore/integracao/ad/LDAPUtils.javamitrex_refsource_MISC
- rdstation-static.s3.amazonaws.com/cms/files/86153/1597862259Ebook-Whatsnew-CITSmart.pdfmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.