CVE-2024-52947

Vulnerability

Details

The vulnerability is a reflected XSS in LemonLDAP::NG, an open-source WebSSO system. The issue resides in the upgrade session confirmation page (upgradeSession / forceUpgrade). When the "Upgrade session" plugin is enabled by an administrator, the url parameter is not properly sanitized, allowing an attacker to inject arbitrary HTML or JavaScript. This is described in the official advisory [1].

Exploitation

An attacker can craft a malicious link containing the XSS payload in the url parameter. The victim must be logged into LemonLDAP::NG and visit the crafted link. No additional authentication is needed beyond the user's session. The attack is successful only if the administrator has enabled the "Upgrade session" plugin. The attacker can then execute arbitrary scripts in the context of the victim's session.

Impact

Successful exploitation leads to cross-site scripting, which can be used to steal session cookies, perform actions on behalf of the user, or deface the application. The severity is rated Medium (CVSS 5.4) due to the requirement of the plugin being enabled and user interaction.

Mitigation

LemonLDAP::NG version 2.20.1 fixes this vulnerability. Users are advised to upgrade. There is no known workaround besides disabling the "Upgrade session" plugin, if feasible, or applying input validation manually.