Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Lemonldap\:\:ng
(Lemonldap\-Ng)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 9 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-09-14 | CVE-2020-24660 | An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2 of the "Lemonldap::NG handler for Node.js" package. | Debian_linux, Lemonldap\:\:ng, Lemonldap\:\:ng_handler | 9.8 | ||
| 2021-07-30 | CVE-2021-35472 | An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker might alternately be authenticated as one of two different users. | Debian_linux, Lemonldap\:\:ng | 8.8 | ||
| 2022-07-18 | CVE-2020-16093 | In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. | Debian_linux, Lemonldap\:\:ng | 7.5 | ||
| 2022-07-18 | CVE-2021-40874 | An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) and using the Kerberos authentication method combined with another method with the Combination authentication plug-in, any password will be recognized as valid for an existing user. | Debian_linux, Lemonldap\:\:ng | 9.8 | ||
| 2023-03-31 | CVE-2023-28862 | An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session. | Lemonldap\:\:ng | 9.8 | ||
| 2023-04-16 | CVE-2022-37186 | In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically. | Lemonldap\:\:ng | 5.9 | ||
| 2023-09-29 | CVE-2023-44469 | A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG before 2.17.1 allows authenticated remote attackers to send GET requests to arbitrary URLs through the request_uri authorization parameter. This is similar to CVE-2020-10770. | Lemonldap\:\:ng | 4.3 | ||
| 2024-10-09 | CVE-2024-48933 | A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3 allows remote attackers to inject arbitrary web script or HTML into the login page via a username if userControl has been set to a non-default value that allows special HTML characters. | Lemonldap\:\:ng | 6.1 | ||
| 2023-05-29 | CVE-2019-19791 | In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when some LemonLDAP::NG setup options are used). For example, an attacker can insert index.fcgi/index.fcgi into a URL to bypass a Require directive. | Lemonldap\:\:ng | 9.8 |