EUVD-2025-209889

SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. In versions below 6.3.1 and 7.0.0, the logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either depending on configuration redirects the...

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect via the logout process. An attacker can redirect users to arbitrary external websites by supplying a crafted url parameter. This is only exploitable if the configuration option enablelogout is set to true, and is most...

SimpleSAMLphp casserver: Open Redirect in logout

Summary The logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either depending on configuration redirects the browser there, or shows a "you've been logged out" page with a link to continue to that url. There are a number of other things broke...

GHSA-CVRM-5HP6-H523 SimpleSAMLphp casserver: Open Redirect in logout

Summary The logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either depending on configuration redirects the browser there, or shows a "you've been logged out" page with a link to continue to that url. There are a number of other things broke...