Lucene search

K

5 matches found

CVE
CVE
added 2023/04/16 2:15 a.m.70 views

CVE-2022-37186

In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically.

5.9CVSS5.6AI score0.00115EPSS
CVE
CVE
added 2023/09/29 7:15 a.m.55 views

CVE-2023-44469

A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG before 2.17.1 allows authenticated remote attackers to send GET requests to arbitrary URLs through the request_uri authorization parameter. This is similar to CVE-2020-10770.

4.3CVSS4.7AI score0.92282EPSS
CVE
CVE
added 2024/10/09 11:15 p.m.48 views

CVE-2024-48933

A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3 allows remote attackers to inject arbitrary web script or HTML into the login page via a username if userControl has been set to a non-default value that allows special HTML characters.

6.1CVSS5.5AI score0.00127EPSS
CVE
CVE
added 2023/03/31 5:15 p.m.45 views

CVE-2023-28862

An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBas...

9.8CVSS9.3AI score0.00031EPSS
CVE
CVE
added 2023/05/29 7:15 p.m.44 views

CVE-2019-19791

In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when some LemonLDAP::NG setup options are used). For example, an attacker can insert index.fcgi/index.fcgi into a URL to bypass a Require directiv...

9.8CVSS9.3AI score0.00031EPSS