Package: liblemonldap-ng-portal-perl Version: 1.9.7-3 Severity: normal Tags: security upstream
Notification server (not enabled by default) allows authorized administrators to push XML files to notify a message to a user. Due to #838097, XML::LibXML expands external entities by default. Then an administrator can push a XML that allows him to read any file in server filesystem accessible by www-data. See https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1818 for more. This issue exists in versions [>= 2.0.0, < 2.0.5] but isn't exploitable since: - notification system does not use SOAP/XML by default - old-compatibility mode is broken is these versions