Bypassing 2FA Verification in LemonLDAP::NG

Bypassing 2FA Verification in LemonLDAP::NG

CVE-2023-28862 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session.

Learn more about our Web Application Penetration Testing UK.