LemonLDAP-NG LemonLDAP::NG 2.0.2

CPE Details

LemonLDAP-NG LemonLDAP::NG 2.0.2
lemonldap-ng
lemonldap::ng
2.0.2
2019-07-11
12h06 +00:00
2025-05-28
15h23 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:lemonldap-ng:lemonldap\:\:ng:2.0.2:*:*:*:*:*:*:*

Informations

Vendor

lemonldap-ng

Product

lemonldap::ng

Version

2.0.2

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2024-48933 2024-10-08 22h00 +00:00 A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3 allows remote attackers to inject arbitrary web script or HTML into the login page via a username if userControl has been set to a non-default value that allows special HTML characters.
6.1
Medium
CVE-2023-44469 2023-09-28 22h00 +00:00 A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG before 2.17.1 allows authenticated remote attackers to send GET requests to arbitrary URLs through the request_uri authorization parameter. This is similar to CVE-2020-10770.
4.3
Medium
CVE-2019-19791 2023-05-28 22h00 +00:00 In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when some LemonLDAP::NG setup options are used). For example, an attacker can insert index.fcgi/index.fcgi into a URL to bypass a Require directive.
9.8
Critical
CVE-2022-37186 2023-04-16 00h00 +00:00 In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically.
5.9
Medium
CVE-2023-28862 2023-03-31 00h00 +00:00 An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session.
9.8
Critical
CVE-2020-16093 2022-07-16 22h00 +00:00 In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used.
7.5
High
CVE-2021-35472 2021-07-27 03h32 +00:00 An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker might alternately be authenticated as one of two different users.
8.8
High
CVE-2020-24660 2020-09-14 10h51 +00:00 An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2 of the "Lemonldap::NG handler for Node.js" package.
9.8
Critical
CVE-2019-15941 2019-09-25 17h39 +00:00 OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs.
9.8
Critical
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.