[security:low] If SFA is enabled with impersonation plugin, users can add or remove spoofed user s 2f devices
Environment
LemonLDAP::NG version: 2.0.3 and other
Operating system: all
Web server: all
Summary
Enable sfa and impersonation. Log in as dwho and spoof rtyler. You can append or remove sfa from rtyler persistent session.
Possible fixes
Detect that impersonation is in progress and forbid delete or add action.
Edited by Christophe Maudoux