Debian Lemonldap-Ng vulnerabilities

CVE-2025-31510 [HIGH] CVE-2025-31510: lemonldap-ng - In the portal in LemonLDAP::NG before 2.21.0, cross-site scripting (XSS) allows ... In the portal in LemonLDAP::NG before 2.21.0, cross-site scripting (XSS) allows remote attackers to inject arbitrary web script or HTML (into the login page) via the tab parameter, for Choice authentication. Scope: local bookworm: resolved (fixed in 2.16.1+ds-deb12u6) bullseye: resolved (fixed in 2.0.11+ds-4+deb11u7) forky: resolved (fixed in 2.21.0+ds-1) sid:

CVE-2025-59518 [HIGH] CVE-2025-59518: lemonldap-ng - In LemonLDAP::NG before 2.16.7 and 2.17 through 2.21 before 2.21.3, OS command i... In LemonLDAP::NG before 2.16.7 and 2.17 through 2.21 before 2.21.3, OS command injection can occur in the Safe jail. It does not Localize _ during rule evaluation. Thus, an administrator who can edit a rule evaluated by the Safe jail can execute commands on the server. Scope: local bookworm: resolved (fixed in 2.16.1+ds-deb12u7) bullseye: open forky: resolved (

CVE-2024-52946 [HIGH] CVE-2024-52946: lemonldap-ng - An issue was discovered in LemonLDAP::NG before 2.20.1. An Improper Check during... An issue was discovered in LemonLDAP::NG before 2.20.1. An Improper Check during session refresh allows an authenticated user to raise their authentication level if the admin configured an "Adaptative authentication rule" with an increment instead of an absolute value. Scope: local bookworm: resolved (fixed in 2.16.1+ds-deb12u4) bullseye: resolved (fixed in 2.0

CVE-2024-48933 [MEDIUM] CVE-2024-48933: lemonldap-ng - A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3 allows... A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3 allows remote attackers to inject arbitrary web script or HTML into the login page via a username if userControl has been set to a non-default value that allows special HTML characters. Scope: local bookworm: resolved (fixed in 2.16.1+ds-deb12u3) bullseye: resolved (fixed in 2.0.11+ds-4

CVE-2024-52947 [MEDIUM] CVE-2024-52947: lemonldap-ng - A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.20.1 allows... A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.20.1 allows remote attackers to inject arbitrary web script or HTML via the url parameter of the upgrade session confirmation page (upgradeSession / forceUpgrade) if the "Upgrade session" plugin has been enabled by an admin Scope: local bookworm: resolved (fixed in 2.16.1+ds-deb12u4) bullsey

CVE-2024-45160 [CRITICAL] CVE-2024-45160: lemonldap-ng - Incorrect credential validation in LemonLDAP::NG 2.18.x and 2.19.x before 2.19.2... Incorrect credential validation in LemonLDAP::NG 2.18.x and 2.19.x before 2.19.2 allows attackers to bypass OAuth2 client authentication via an empty client_password parameter (client secret). Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 2.19.2+ds-1) sid: resolved (fixed in 2.19.2+ds-1) trixie: resolved (fixed in 2.19.2+ds-1)

CVE-2024-52948 CVE-2024-52948: lemonldap-ng bookworm: resolved (fixed in 2.16.1+ds-deb12u5) bullseye: open forky: resolved (fixed in 2.20.2+ds-1) sid: resolved (fixed in 2.20.2+ds-1) trixie: resolved (fixed in 2.20.2+ds-1)

CVE-2023-28862 [CRITICAL] CVE-2023-28862: lemonldap-ng - An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generati... An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session. Scope: local bookworm: resolved (fixed in 2.16.1

CVE-2023-44469 [MEDIUM] CVE-2023-44469: lemonldap-ng - A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::N... A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG before 2.17.1 allows authenticated remote attackers to send GET requests to arbitrary URLs through the request_uri authorization parameter. This is similar to CVE-2020-10770. Scope: local bookworm: resolved (fixed in 2.16.1+ds-deb12u2) bullseye: resolved (fixed in 2.0.11+ds-4+de

CVE-2022-37186 [MEDIUM] CVE-2022-37186: lemonldap-ng - In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supp... In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur when there are at least two servers, and a session is manually removed before the time at which it would have been removed automatically. Scope: local bookworm: resolved (fixed in 2.0.15+ds-1) bullseye: re

CVE-2021-40874 [CRITICAL] CVE-2021-40874: lemonldap-ng - An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using t... An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) and using the Kerberos authentication method combined with another method with the Combination authentication plug-in, any password will be recognized as valid f

CVE-2021-35473 [CRITICAL] CVE-2021-35473: lemonldap-ng - An issue was discovered in LemonLDAP::NG before 2.0.12. There is a missing expir... An issue was discovered in LemonLDAP::NG before 2.0.12. There is a missing expiration check in the OAuth2.0 handler, i.e., it does not verify access token validity. An attacker can use a expired access token from an OIDC client to access the OAuth2 handler The earliest affected version is 2.0.4. Scope: local bookworm: resolved (fixed in 2.0.11+ds-4) bullsey

CVE-2021-35472 [HIGH] CVE-2021-35472: lemonldap-ng - An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption... An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker might alternately be authenticated as one of two different users. Scope: local bookworm: resolved (fixed in 2.0.11+ds-4) bullseye: resolved (fixed in 2.0.11+ds-4) fo

CVE-2020-24660 [CRITICAL] CVE-2020-24660: lemonldap-ng - An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An a... An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also affects versions before 0.5.2 of the "Lemonldap::NG handler for Node.js" package. Scope: local bookworm: resolved (fixed in 2.0.9+ds-1) bullseye: resolved (fixed

CVE-2020-16093 [HIGH] CVE-2020-16093: lemonldap-ng - In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certifi... In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. Scope: local bookworm: resolved (fixed in 2.0.9+ds-1) bullseye: resolved (fixed in 2.0.9+ds-1) forky: resolved (fixed in 2.0.9+ds-1) s

CVE-2019-15941 [CRITICAL] CVE-2019-15941: lemonldap-ng - OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker t... OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the target RP, and no filtering on redirection URIs. Scope: local

CVE-2019-12046 [CRITICAL] CVE-2019-12046: lemonldap-ng - LemonLDAP::NG -2.0.3 has Incorrect Access Control. LemonLDAP::NG -2.0.3 has Incorrect Access Control. Scope: local bookworm: resolved (fixed in 2.0.2+ds-7+deb10u1) bullseye: resolved (fixed in 2.0.2+ds-7+deb10u1) forky: resolved (fixed in 2.0.2+ds-7+deb10u1) sid: resolved (fixed in 2.0.2+ds-7+deb10u1) trixie: resolved (fixed in 2.0.2+ds-7+deb10u1)

CVE-2019-19791 [CRITICAL] CVE-2019-19791: lemonldap-ng - In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server... In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when some LemonLDAP::NG setup options are used). For example, an attacker can insert index.fcgi/index.fcgi into a URL to bypass a Require directive. Scope: local bookworm: resolved (fixed in 2.0.7+ds-1) bul

CVE-2019-13031 [HIGH] CVE-2019-13031: lemonldap-ng - LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitti... LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification server is not enabled and has a "deny all" rule. Scope: local bookworm: resolved (fixed in 2.0.0+ds-1) bullseye: resolved (fixed in 2.0.0+ds-1) forky: resolved (fixed in 2.0.0+ds-1) sid: resolved (fixed in 2.

CVE-2012-6426 [HIGH] CVE-2012-6426: lemonldap-ng - LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of... LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data. Scope: local bookworm: resolved (fixed in 1.2.2-3) bullseye: resolved (fixed in 1.2.2-3) forky: resolved (fixed in 1.2.2-3) sid: resolved (fixed in 1.2.2-3) trixie: