576 matches found
CVE-2010-10002
The vulnerability CVE-2010-10002 affects the SimpleSAMLphp package, specifically the simplesamlphp-module-openid OpenID Handler. The issue is an input manipulation in the file templates/consumer.php (AuthState) that enables cross-site scripting. Exploitation can be performed remotely; the attack ...
PT-2023-9886 · Unknown · Simplesamlphp-Module-Openid +1
Name of the Vulnerable Software and Affected Versions: SimpleSAMLphp simplesamlphp-module-openid versions prior to 1.0 Description: A vulnerability has been found in the OpenID Handler component of SimpleSAMLphp simplesamlphp-module-openid. The issue affects an unknown function of the file...
SimpleSAMLphp 跨站脚本漏洞
SimpleSAMLphp is a PHP authentication application that implements SAML 2.0 service provider and identity provider functionality. A cross-site scripting vulnerability exists in SimpleSAMLphp that stems from cross-site scripting due to misuse of the parameter AuthState...
MAL-2022-6127 Malicious code in simplesamlphp (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d1b0f54563dff6c02ddade2dbcd3f6bf7e1ed1c736d76c1e001d807410dc02c8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in simplesamlphp (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d1b0f54563dff6c02ddade2dbcd3f6bf7e1ed1c736d76c1e001d807410dc02c8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
CVE-2018-7711
HTTPRedirect.php in the saml2 library in SimpleSAMLphp before 1.15.4 has an incorrect check of return values in the signature validation utilities, allowing an attacker to get invalid signatures accepted as valid by forcing an error during validation. This occurs because of a dependency on PHP...
SimpleSAMLphp Incorrect IV generation for encryption
The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.x through 1.14.11 makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging use of the first 16 bytes of the secret key as the initialization vector IV...
SimpleSAMLphp Unauthenticated encryption in CBC mode
SimpleSAMLphp 1.14.12 and earlier make it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the aesEncrypt and aesDecrypt methods in the SimpleSAML/Utils/Crypto class to protect session identifiers in replies to non-HTTPS service providers...
GHSA-44PR-MGCP-V36R SimpleSAMLphp Unauthenticated encryption in CBC mode
SimpleSAMLphp 1.14.12 and earlier make it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the aesEncrypt and aesDecrypt methods in the SimpleSAML/Utils/Crypto class to protect session identifiers in replies to non-HTTPS service providers...
GHSA-WW3W-592J-5QRW SimpleSAMLphp Incorrect IV generation for encryption
The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.x through 1.14.11 makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging use of the first 16 bytes of the secret key as the initialization vector IV...
GHSA-2QFC-48V5-4W5H SimpleSAMLphp Open redirection protection bypass
SimpleSAMLphp before 1.15.2 allows remote attackers to bypass an open redirect protection mechanism via crafted authority data in a URL...
SimpleSAMLphp Open redirection protection bypass
SimpleSAMLphp before 1.15.2 allows remote attackers to bypass an open redirect protection mechanism via crafted authority data in a URL...
GHSA-R8V4-7VWJ-983X SimpleSAMLphp SAML2 spoof SAML responses
The validateSignature method in the SAML2\Utils class in SimpleSAMLphp before 1.14.10 and simplesamlphp/saml2 library before 1.9.1, 1.10.x before 1.10.3, and 2.x before 2.3.3 allows remote attackers to spoof SAML responses or possibly cause a denial of service memory consumption by leveraging...
SimpleSAMLphp SAML2 spoof SAML responses
The validateSignature method in the SAML2\Utils class in SimpleSAMLphp before 1.14.10 and simplesamlphp/saml2 library before 1.9.1, 1.10.x before 1.10.3, and 2.x before 2.3.3 allows remote attackers to spoof SAML responses or possibly cause a denial of service memory consumption by leveraging...
GHSA-G888-G2PP-82HF SimpleSAMLphp saml2 incorrect signature validation
HTTPRedirect.php in the saml2 library in SimpleSAMLphp before 1.15.4 has an incorrect check of return values in the signature validation utilities, allowing an attacker to get invalid signatures accepted as valid by forcing an error during validation. This occurs because of a dependency on PHP...
SimpleSAMLphp saml2 incorrect signature validation
HTTPRedirect.php in the saml2 library in SimpleSAMLphp before 1.15.4 has an incorrect check of return values in the signature validation utilities, allowing an attacker to get invalid signatures accepted as valid by forcing an error during validation. This occurs because of a dependency on PHP...
SimpleSAMLphp Session fixation issue and authentication bypass in the authcrypt module
The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation...
GHSA-J96G-47X2-46HV SimpleSAMLphp Session fixation issue and authentication bypass in the authcrypt module
The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation...
GHSA-9327-MQM6-X97J SimpleSAMLphp Information leakage issue in the sanitycheck module
The sanitycheck module in SimpleSAMLphp before 1.14.1 allows remote attackers to learn the PHP version on the system via unspecified vectors...
SimpleSAMLphp Information leakage issue in the sanitycheck module
The sanitycheck module in SimpleSAMLphp before 1.14.1 allows remote attackers to learn the PHP version on the system via unspecified vectors...