39 matches found
CVE-2021-27736
FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely...
Design/Logic Flaw
FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely...
CVE-2021-27736
FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely...
CVE-2021-27736
Summary: CVE-2021-27736 affects FusionAuth’s fusionauth-samlv2 library prior to 0.5.4. The issue is an XML External Entity (XXE) vulnerability in parseFromBytes, which uses javax.xml.parsers.DocumentBuilderFactory unsafely on forged AuthnRequest or LogoutRequest messages. This can lead to disclos...
FusionAuth fusionauth-samlv2 代码问题漏洞
fusionauth fusionauth-samlv2 is a personal developer of a JAVA library that provides JAXB functionality . The library can mainly handle SAML requests and replies for scenarios such as single sign-on. A security vulnerability exists in FusionAuth fusionauth-samlv2 versions prior to 0.5.4 that allo...
FusionAuth Command Injection (CVE-2020-7799)
A command injection vulnerability exists in FusionAuth. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system...
FusionAuth SAML v 2 0.2.3 Message Forging Vulnerability
Unauthenticated users can send forged messages to the FusionAuth to bypass authentication, impersonate other users or gain arbitrary roles. The SAML message can be send to the application without a signature even if this is required. The impact depends on individual applications that implement...
CVE-2020-12676
FusionAuth fusionauth-samlv2 0.2.3 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack"...
Authentication flaw
FusionAuth fusionauth-samlv2 0.2.3 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack"...
CVE-2020-12676
FusionAuth fusionauth-samlv2 0.2.3 is vulnerable to a Signature Exclusion Attack: remote attackers can forge SAML messages and bypass authentication when a SAML assertion lacks a Signature element. The Red Hat/Red Hat advisory and other connected sources confirm the affected version and behavior....
CVE-2020-12676
FusionAuth fusionauth-samlv2 0.2.3 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack"...
FusionAuth-SAMLv2 0.2.3 Message Forging
COMPASS SECURITY ADVISORY https://www.compass-security.com/research/advisories/ Product: SAML v2.0 bindings in Java using JAXB Vendor: FusionAuth CSNC ID: CSNC-2020-002 CVE ID: CVE-2020-12676 Subject: Signature Exclusion Attack Risk: High Effect: Remotely exploitable Author: Felix Sieges Date:...
FusionAuth 1.10 Remote Command Execution Vulnerability
FusionAuth versions 1.10 and below suffer from a remote command execution vulnerability. An authenticated attacker with enough privileges to access the template editing functions either site templates or e-mail templates in the FusionAuth dashboard can execute commands on the underlying operating...
CVE-2020-7799
An issue was discovered in FusionAuth before 1.11.0. An authenticated user, allowed to edit e-mail templates Home - Settings - Email Templates or themes Home - Settings - Themes, can execute commands on the underlying operating system by abusing freemarker.template.utility.Execute in the Apache...
CVE-2020-7799
An issue was discovered in FusionAuth before 1.11.0. An authenticated user, allowed to edit e-mail templates Home - Settings - Email Templates or themes Home - Settings - Themes, can execute commands on the underlying operating system by abusing freemarker.template.utility.Execute in the Apache...
Design/Logic Flaw
An issue was discovered in FusionAuth before 1.11.0. An authenticated user, allowed to edit e-mail templates Home - Settings - Email Templates or themes Home - Settings - Themes, can execute commands on the underlying operating system by abusing freemarker.template.utility.Execute in the Apache...
CVE-2020-7799
An issue was discovered in FusionAuth before 1.11.0. An authenticated user, allowed to edit e-mail templates Home - Settings - Email Templates or themes Home - Settings - Themes, can execute commands on the underlying operating system by abusing freemarker.template.utility.Execute in the Apache...
CVE-2020-7799
CVE-2020-7799 affects FusionAuth before 1.11.0. An authenticated user with access to template editing (Email Templates or Themes in the FusionAuth dashboard) can abuse freemarker.template.utility.Execute in Apache FreeMarker to execute operating system commands. The vulnerability is a command-inj...
FusionAuth 1.10 Remote Command Execution
@Mediaservice.net Security Advisory 2020-03 last updated on 2020-01-27 Title: FusionAuth command execution via Apache Freemarker Template Application: FusionAuth 1.10 and lower Platforms: Tested on Windows 10 and Ubuntu 19.10 Description: An authenticated attacker with enough privileges to access...