Lemonldap-ng Lemonldap\

13 CVEs affecting Lemonldap-ng Lemonldap\. Latest disclosed: 2024-10-09. Critical: 6, High: 3.

Top CVEs affecting Lemonldap-ng Lemonldap\
CVESeverityScorePublishedSummary
CVE-2019-19791Critical9.82023-05-29In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when s…
CVE-2023-28862Critical9.82023-03-31An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password ch…
CVE-2021-40874Critical9.82022-07-18An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for anothe…
CVE-2020-24660Critical9.82020-09-14An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submi…
CVE-2019-15941Critical9.82019-09-25OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization reques…
CVE-2019-12046Critical9.82019-05-22LemonLDAP::NG -2.0.3 has Incorrect Access Control.
CVE-2021-35472High8.82021-07-30An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes man…
CVE-2019-13031High8.12019-06-28LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification serv…
CVE-2020-16093High7.52022-07-18In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because…
CVE-2024-48933Medium6.12024-10-09A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3 allows remote attackers to inject arbitrary web script or HTML into the login page vi…
CVE-2022-37186Medium5.92023-04-16In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur whe…
CVE-2023-44469Medium4.32023-09-29A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG before 2.17.1 allows authenticated remote attackers to send GET requests to a…
CVE-2012-64262013-01-01LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-con…