CVEs (13)
CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS |
|---|
A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3 allows remote attackers to inject arbitrary web script or HTML into the login page via a username if userControl has been set to a non-default val...Show more |
A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG before 2.17.1 allows authenticated remote attackers to send GET requests to arbitrary URLs through the request_uri authorization parameter...Show more |
In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when some LemonLDAP::NG setup options are used). For example, an at...Show more |
In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually r...Show more |
An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin th...Show more |
2Debian Lemonldap Ng2Debian Linux Lemonldap\Nov 21, 2024 Jul 18, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) and using the Kerberos...Show more |
2Debian Lemonldap Ng2Debian Linux Lemonldap\Nov 21, 2024 Jul 18, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl...Show more |
2Debian Lemonldap Ng2Debian Linux Lemonldap\Nov 21, 2024 Jul 30, 2021 N/A· v4 8.8 HIGH· v3 6.0 MEDIUM· v2 An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker might alternately be a...Show more |
2Debian Lemonldap Ng2Debian Linux Lemonldap\Nov 21, 2024 Sep 14, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before...Show more |
2Debian Lemonldap Ng2Debian Linux Lemonldap\May 28, 2025 Sep 25, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party...Show more |
2Debian Lemonldap Ng2Debian Linux Lemonldap\Nov 21, 2024 Jun 28, 2019 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a "deny all" rule. |
2Debian Lemonldap Ng2Debian Linux Lemonldap\May 28, 2025 May 22, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 LemonLDAP::NG -2.0.3 has Incorrect Access Control. |
LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data. |