An issue exists in LemonLDAP::NG prior to 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow malicious users to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
lemonldap-ng lemonldap\\ \\ |