GHSA-J5G2-Q29X-CW3H SimpleSAMLphp vulnerable to XXE in parsing SAML messages

Withdrawn Advisory This advisory has been withdrawn because the vulnerability affects users of the SimpleSAMLphp tarball, not the SimpleSAMLphp Composer package. The underlying information about CVE-2024-52596 is still valid. Original Description Summary When loading an untrusted XML document, fo...

SimpleSAMLphp xml-common XXE vulnerability

Summary When loading an untrusted XML document, for example the SAMLResponse, it's possible to induce an XXE. $options is defined as: https://github.com/simplesamlphp/xml-common/blob/v1.19.0/src/DOMDocumentFactory.phpL39 including the DTDLoad option, which allows an attacker to read file contents...