CVE-2020-15259: 
Auth0 AD LDAP Connector vulnerability analysis and mitigation

The ad-ldap-connector's admin panel before version 5.0.13 contains a Cross-Site Request Forgery (CSRF) vulnerability. The admin console does not provide CSRF protection, which when exploited could result in remote code execution or confidential data loss. The vulnerability was discovered and disclosed on November 5, 2020 (GitHub Advisory).

The vulnerability exists due to the lack of CSRF protection in the admin console's API endpoints. CSRF exploits can occur if a user with access to the ad-ldap-connector admin console visits a malicious webpage containing CSRF payload while logged into the admin console in the same browser. The vulnerability has been assigned CVE-2020-15259 and received a CVSS v3.1 base score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (NVD).

Successful exploitation of this vulnerability could lead to remote code execution or confidential data loss through the admin console. An attacker could potentially execute unauthorized actions on behalf of an authenticated admin user who visits a malicious webpage while having access to the admin console (GitHub Advisory).

The vulnerability has been fixed in version 5.0.13 of ad-ldap-connector by implementing CSRF protection. Users should upgrade to this version or later and restart their admin console. The update has no impact on end users. For those unable to update immediately, avoiding access to any public URLs while using the admin console can help mitigate the risk (GitHub Advisory, GitHub Patch).