Alerts This Week
Warning Icon 1 1,146
Alerts This Week
Warning Icon 1 1,146

Debian 11: DLA-3979-1 critical: lemonldap-ng XSS and bypass

debian lts
Calendar Grey November 30, 2024
Dist Debian Esm H88
Debian LTS Announcement DLA-3980-1 addresses vulnerabilities in gogs relating to security loopholes and access control problems.
Multiple vulnerabilities were discovered in Lemonldap::NG, an OpenID-Connect, CAS and SAML compatible Web-SSO system, which could lead to injection of arbitrary scripts or authoriz...

Summary

CVE-2024-48933

Cross-site scripting (XSS) vulnerability which allows remote
attackers to inject arbitrary web script or HTML into the login page
via a username if ‘userControl’ has been set to a non-default value
that allows special HTML characters.

CVE-2024-52946

Improper Check during session refresh which allows an authenticated
user to raise their authentication level if the admin configured an
"Adaptative authentication rule" with an increment instead of an
absolute value.

CVE-2024-52947

Cross-site scripting (XSS) vulnerability which allows remote
attackers to inject arbitrary web script or HTML via the ‘url’
parameter of the upgrade session confirmation page (upgradeSession)
if the "Upgrade session" plugin has been enabled by an admin.

For Debian 11 bullseye, these problems have been fixed in version
2.0.11+ds-4+deb11u6.

We recommend that you upgrade your lemonldap-ng packages.

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: lemonldap-ng
Version: 2.0.11+ds-4+deb11u6
CVE ID: CVE-2024-48933 CVE-2024-52946 CVE-2024-52947
Debian Bug: 1084979

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here