Unsigned SAML LogoutRequest Acceptance in gosaml2

Summary The ValidateEncodedLogoutRequestPOST function in gosaml2 accepts completely unsigned SAML LogoutRequest messages even when SkipSignatureValidation is set to false. When validateElementSignature returns dsig.ErrMissingSignature, the code in decodelogoutrequest.go:60-62 silently falls throu...

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the ValidateEncodedLogoutRequestPOST function. An attacker can terminate arbitrary user sessions by sending a forged, unsigned SAML LogoutRequest to the Single Logout endpoint, even...

CVE-2023-40178

Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logged out from an...

EUVD-2018-0629

Malware in sbrugna...

EUVD-2012-1907

Malware in sbrugna...

CVE-2024-56311

REDCap through 14.9.6 has a security flaw in the Notes section of calendar events, exposing users to a Cross-Site Request Forgery CSRF attack. An attacker can exploit this by luring users into accessing a calendar event's notes, which triggers a logout request and terminates their session. This...

CVE-2024-56311

REDCap through 14.9.6 has a security flaw in the Notes section of calendar events, exposing users to a Cross-Site Request Forgery CSRF attack. An attacker can exploit this by luring users into accessing a calendar event's notes, which triggers a logout request and terminates their session. This...

node-saml 代码问题漏洞

node-saml is a SAML library that does not depend on any framework running in Node.js. A code issue vulnerability exists in Node-SAML versions prior to 4.0.5 that stems from not checking the current timestamp, and LogoutRequest XML can be reused multiple times...

PT-2023-27307 · Node-Saml · Node-Saml

Name of the Vulnerable Software and Affected Versions: Node-SAML versions prior to 4.0.5 Description: The lack of checking of the current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they wou...

FusionAuth fusionauth-samlv2 代码问题漏洞

fusionauth fusionauth-samlv2 is a personal developer of a JAVA library that provides JAXB functionality . The library can mainly handle SAML requests and replies for scenarios such as single sign-on. A security vulnerability exists in FusionAuth fusionauth-samlv2 versions prior to 0.5.4 that allo...

CVE-2017-2646

It was found that when Keycloak before 2.5.5 receives a Logout request with a Extensions in the middle of the request, the SAMLSloRequestParser.parse method ends in a infinite loop. An attacker could use this flaw to conduct denial of service attacks...

CVE-2017-2646

It was found that when Keycloak before 2.5.5 receives a Logout request with a Extensions in the middle of the request, the SAMLSloRequestParser.parse method ends in a infinite loop. An attacker could use this flaw to conduct denial of service attacks...

Sql injection

It was found that when Keycloak before 2.5.5 receives a Logout request with a Extensions in the middle of the request, the SAMLSloRequestParser.parse method ends in a infinite loop. An attacker could use this flaw to conduct denial of service attacks...

CVE-2017-15084

The web UI in Rapid7 Metasploit before 4.14.1-20170828 allows logout CSRF, aka R7-2017-22...

CVE-2014-8567

The modauthmellon module before 0.8.1 allows remote attackers to cause a denial of service Apache HTTP server crash via a crafted logout request that triggers a read of uninitialized data...

DEBIAN-CVE-2014-8567

The modauthmellon module before 0.8.1 allows remote attackers to cause a denial of service Apache HTTP server crash via a crafted logout request that triggers a read of uninitialized data...

CVE-2014-8567

The modauthmellon module before 0.8.1 allows remote attackers to cause a denial of service Apache HTTP server crash via a crafted logout request that triggers a read of uninitialized data...

CVE-2014-8567

The modauthmellon module before 0.8.1 allows remote attackers to cause a denial of service Apache HTTP server crash via a crafted logout request that triggers a read of uninitialized data...

RHEL 6 : mod_auth_mellon (RHSA-2014:1803)

An updated modauthmellon package that fixes two security issues is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System CVSS base scores, which give detailed severity ratings, are...

Important: Red Hat Security Advisory: mod_auth_mellon security update

An updated modauthmellon package that fixes two security issues is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System CVSS base scores, which give detailed severity ratings, are...