CVE-2024-52947

EUVD-2024-45981
A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.20.1 allows remote attackers to inject arbitrary web script or HTML via the url parameter of the upgrade session confirmation page (upgradeSession / forceUpgrade) if the "Upgrade session" plugin has been enabled by an admin
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA-ADPADP
6.1 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
Debian logo
Debian Releases
Debian Product
Codename
lemonldap-ng
bookworm
2.16.1+ds-deb12u6
fixed
bookworm (security)
2.16.1+ds-deb12u6
fixed
bullseye
vulnerable
bullseye (security)
2.0.11+ds-4+deb11u7
fixed
forky
2.22.1+ds-1
fixed
sid
2.22.1+ds-1
fixed
trixie
2.21.2+ds-1+deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
lemonldap-ng
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
oracular
ignored
plucky
not-affected
questing
not-affected
xenial
needs-triage
Common Weakness Enumeration
References
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3257
https://lists.debian.org/debian-lts-announce/2024/11/msg00037.html