Clement_Oudot

**Name of the Vulnerable Software and Affected Versions** LemonLDAP::NG versions prior to 2.0.7 **Description** The default Apache HTTP Server configuration in LemonLDAP::NG does not properly restrict access to SOAP/REST endpoints when certain setup options are used. This allows an attacker to bypass a Require directive by inserting index.fcgi/index.fcgi into a URL. **Recommendations** For versions prior to 2.0.7, update to version 2.0.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the SOAP/REST endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LemonLDAP::NG versions prior to 1.9.20 **Description** The issue is related to an XML External Entity (XXE) problem that occurs when submitting a notification to the notification server. It's worth noting that the notification server is not enabled by default and has a "deny all" rule, which may limit the exposure to this issue. **Recommendations** For versions prior to 1.9.20, update to version 1.9.20 or later to resolve the issue.