It was discovered that the Lemonldap::NG web SSO system performed insuffient validation of session tokens if the tokenUseGlobalStorage option is enabled, which could grant users with access to the main session database access to an anonymous session.
Continue reading...
Continue reading...