Lemonldap-ng Lemonldap\
13 CVEs affecting Lemonldap-ng Lemonldap\. Latest disclosed: 2024-10-09. Critical: 6, High: 3.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2019-19791 | Critical | 9.8 | 2023-05-29 | In LemonLDAP::NG (aka lemonldap-ng) before 2.0.7, the default Apache HTTP Server configuration does not properly restrict access to SOAP/REST endpoints (when s… |
CVE-2023-28862 | Critical | 9.8 | 2023-03-31 | An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password ch… |
CVE-2021-40874 | Critical | 9.8 | 2022-07-18 | An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for anothe… |
CVE-2020-24660 | Critical | 9.8 | 2020-09-14 | An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submi… |
CVE-2019-15941 | Critical | 9.8 | 2019-09-25 | OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization reques… |
CVE-2019-12046 | Critical | 9.8 | 2019-05-22 | LemonLDAP::NG -2.0.3 has Incorrect Access Control. |
CVE-2021-35472 | High | 8.8 | 2021-07-30 | An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes man… |
CVE-2019-13031 | High | 8.1 | 2019-06-28 | LemonLDAP::NG before 1.9.20 has an XML External Entity (XXE) issue when submitting a notification to the notification server. By default, the notification serv… |
CVE-2020-16093 | High | 7.5 | 2022-07-18 | In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because… |
CVE-2024-48933 | Medium | 6.1 | 2024-10-09 | A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.19.3 allows remote attackers to inject arbitrary web script or HTML into the login page vi… |
CVE-2022-37186 | Medium | 5.9 | 2023-04-16 | In LemonLDAP::NG before 2.0.15. some sessions are not deleted when they are supposed to be deleted according to the timeoutActivity setting. This can occur whe… |
CVE-2023-44469 | Medium | 4.3 | 2023-09-29 | A Server-Side Request Forgery issue in the OpenID Connect Issuer in LemonLDAP::NG before 2.17.1 allows authenticated remote attackers to send GET requests to a… |
CVE-2012-6426 | | 2013-01-01 | LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-con… |