| Package | lemonldap-ng |
|---|---|
| Version | 2.0.2+ds-7+deb10u11 (buster) |
| Related CVEs | CVE-2024-48933 CVE-2024-52947 |
Two Cross-site scripting (XSS) vulnerabilities were discovered in Lemonldap::NG, an OpenID-Connect, CAS and SAML compatible Web-SSO system, which could lead to injection of arbitrary scripts or HTML content.
-
CVE-2024-48933: XSS vulnerability which allows remote attackers to inject arbitrary web script or HTML into the login page via a username if
userControlhas been set to a non-default value that allows special HTML characters. -
CVE-2024-52947: XSS vulnerability which allows remote attackers to inject arbitrary web script or HTML via the
urlparameter of the upgrade session confirmation page (upgradeSession) if the “Upgrade session” plugin has been enabled by an admin.
For Debian 10 buster, these problems have been fixed in version 2.0.2+ds-7+deb10u11.
We recommend that you upgrade your lemonldap-ng packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.