Description
The user-controlled "name" input is not sanitized when making LDAP searches with searchAndBuildUser. This could lead to LDAP injections using special characters.
Possible scenario: an attacker can bruteforce password authentication without needing to target a specific user of test every user. For instance, instead of needing to test 1 M passwords on adupont@linagora.com and then on amartin@linagora.com, he can test on a*. Then if a password matches, he can quickly get to the user by dichotomy (aa*, ab*, aba*, abb*, etc.).