Lemur (< 1.9.0)

Lemur versions before 1.9.0 are vulnerable to LDAP filter injection, where an authenticated LDAP user can inject LDAP filter metacharacters through the username field to manipulate group membership queries and escalate their privileges to administrator.