Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
lemonldap-ng vulnerabilities and exploits
(subscribe to this query)
9.8
CVSSv3
CVE-2023-28862
An issue exists in LemonLDAP::NG prior to 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow malicious users to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does ...
Lemonldap-ng Lemonldap\\ \\
9.8
CVSSv3
CVE-2019-19791
In LemonLDAP::NG (aka lemonldap-ng) prior to 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when some LemonLDAP::NG setup options are used). For example, an attacker can insert index.fcgi/index.fcgi into a URL to bypa...
Lemonldap-ng Lemonldap\\ \\
4.3
CVSSv3
CVE-2023-44469
A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG prior to 2.17.1 allows authenticated remote malicious users to send GET requests to arbitrary URLs through the request_uri authorization parameter. This is similar to CVE-2020-10770.
Lemonldap-ng Lemonldap\\ \\
5.9
CVSSv3
CVE-2022-37186
In LemonLDAP::NG prior to 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed...
Lemonldap-ng Lemonldap\\ \\
NA
CVE-2012-6426
LemonLDAP::NG prior to 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote malicious users to bypass intended access-control restrictions via crafted SAML data.
Lemonldap-ng Lemonldap\\ \\
9.8
CVSSv3
CVE-2019-15941
OpenID Connect Issuer in LemonLDAP::NG 2.x up to and including 2.0.5 may allow an malicious user to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with we...
Lemonldap-ng Lemonldap\\ \\
Debian Debian Linux 10.0
9.8
CVSSv3
CVE-2021-40874
An issue exists in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) and using the Kerberos authentication method combined with another method with the Combina...
Lemonldap-ng Lemonldap\\ \\
Debian Debian Linux 10.0
8.8
CVSSv3
CVE-2021-35472
An issue exists in LemonLDAP::NG prior to 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker might alternately be authenticated as one of two different users.
Lemonldap-ng Lemonldap\\ \\
Debian Debian Linux 10.0
9.8
CVSSv3
CVE-2020-24660
An issue exists in LemonLDAP::NG up to and including 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions prior to 0.5.2 of the "Lemonldap::NG handler for Node.js&...
Lemonldap-ng Lemonldap\\ \\
Debian Debian Linux 10.0
8.1
CVSSv3
CVE-2019-13031
LemonLDAP::NG prior to 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a "deny all" rule.
Lemonldap-ng Lemonldap\\ \\
Debian Debian Linux 8.0
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2006-4304
CVE-2024-4240
arbitrary
CVE-2024-31601
XSS
CVE-2023-20198
CVE-2024-4256
CVE-2024-3342
encryption
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
NEXT »