CVE-2025-31510: 
Linux Debian vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability has been discovered in Lemonldap::NG, a Web-SSO system compatible with OpenID-Connect, CAS and SAML. The vulnerability (CVE-2025-31510) affects versions 2.20.2 and earlier, specifically when using the 'Choice' authentication module. The issue was discovered and disclosed in March 2025, with fixes being released in April 2025 (Debian Security, GitLab Issue).

The vulnerability stems from improper input validation in the tab parameter of the authentication system. When a malicious payload is injected through the tab parameter, it allows for the introduction of HTML code into the login page. If the default Content-Security-Policy (CSP) headers have been modified, it becomes possible to inject JavaScript code. The vulnerability has been assigned a CVSS score of 9.0 (AV:N/AC:L/Au:N/C:C/I:C/A:N), indicating high severity (Rapid7).

The vulnerability enables attackers to inject malicious content, including HTML, iframes, or JavaScript, with varying impacts depending on the applied Content Security Policy (CSP) configuration. This could potentially lead to unauthorized access to sensitive information and compromise of user sessions (GitLab Issue).

For the Debian stable distribution (bookworm), this vulnerability has been fixed in version 2.16.1+ds-deb12u6. The fix includes proper sanitization of the tab parameter to prevent code injection vulnerabilities. Users are strongly recommended to upgrade their lemonldap-ng packages to the latest version (Debian Security).