CVE-2024-48933
Cross-site scripting (XSS) vulnerability which allows remote
attackers to inject arbitrary web script or HTML into the login page
via a username if âuserControlâ has been set to a non-default value
that allows special HTML characters.
CVE-2024-52946
Improper Check during session refresh which allows an authenticated
user to raise their authentication level if the admin configured an
"Adaptative authentication rule" with an increment instead of an
absolute value.
CVE-2024-52947
Cross-site scripting (XSS) vulnerability which allows remote
attackers to inject arbitrary web script or HTML via the âurlâ
parameter of the upgrade session confirmation page (upgradeSession)
if the "Upgrade session" plugin has been enabled by an admin.
For Debian 11 bullseye, these problems have been fixed in version
2.0.11+ds-4+deb11u6.
We recommend that you upgrade your lemonldap-ng packages.
Get the latest Linux and open source security news straight to your inbox.