Control: tags -1 confirmed On Fri, 2023-09-29 at 17:45 +0400, Yadd wrote: > Two new vulnerabilities have been dicovered and fixed in lemonldap- > ng: > - an open redirection due to incorrect escape handling > - an open redirection only when configuration is edited by hand and > doesn't follow OIDC specifications > - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol: > A little-know feature of OIDC allows the OpenID Provider to fetch > the > Authorization request parameters itself by indicating a > request_uri > parameter. This feature is now restricted to a white list using > this > patch >
Please go ahead. Regards, Adam
