[security:low] If SFA is enabled with impersonation plugin, users can add or remove spoofed user s 2f devices

LemonLDAP::NG version: 2.0.3 and other

Operating system: all

Web server: all

Enable sfa and impersonation. Log in as dwho and spoof rtyler. You can append or remove sfa from rtyler persistent session.

Detect that impersonation is in progress and forbid delete or add action.

Edited Oct 03, 2020 by Christophe Maudoux