Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
lemonldap-ng vulnerabilities and exploits
(subscribe to this query)
NA
CVE-2023-44469
A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG prior to 2.17.1 allows authenticated remote malicious users to send GET requests to arbitrary URLs through the request_uri authorization parameter. This is similar to CVE-2020-10770.
Lemonldap-ng Lemonldap\\ \\
NA
CVE-2022-37186
In LemonLDAP::NG prior to 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed...
Lemonldap-ng Lemonldap\\ \\
7.5
CVSSv2
CVE-2012-6426
LemonLDAP::NG prior to 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote malicious users to bypass intended access-control restrictions via crafted SAML data.
Lemonldap-ng Lemonldap\\ \\
NA
CVE-2023-28862
An issue exists in LemonLDAP::NG prior to 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow malicious users to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does ...
Lemonldap-ng Lemonldap\\ \\
NA
CVE-2019-19791
In LemonLDAP::NG (aka lemonldap-ng) prior to 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when some LemonLDAP::NG setup options are used). For example, an attacker can insert index.fcgi/index.fcgi into a URL to bypa...
Lemonldap-ng Lemonldap\\ \\
7.5
CVSSv2
CVE-2020-24660
An issue exists in LemonLDAP::NG up to and including 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions prior to 0.5.2 of the "Lemonldap::NG handler for Node.js&...
Lemonldap-ng Lemonldap\\ \\
Debian Debian Linux 10.0
NA
CVE-2021-40874
An issue exists in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) and using the Kerberos authentication method combined with another method with the Combina...
Lemonldap-ng Lemonldap\\ \\
Debian Debian Linux 10.0
6.8
CVSSv2
CVE-2019-13031
LemonLDAP::NG prior to 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a "deny all" rule.
Lemonldap-ng Lemonldap\\ \\
Debian Debian Linux 8.0
NA
CVE-2020-36658
In Apache::Session::LDAP prior to 0.5, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the C...
Lemonldap-ng Apache\\ \\
Debian Debian Linux 10.0
NA
CVE-2020-36659
In Apache::Session::Browseable prior to 1.3.6, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction wi...
Lemonldap-ng Apache\\ \\
Debian Debian Linux 10.0
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-36920
buffer overflow
CVE-2024-36913
CVE-2024-5497
CVE-2024-23917
CVE-2024-4956
server-side request forgery
CVE-2024-35468
SSTI
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
NEXT »