GO-2026-4764 Unsigned SAML LogoutRequest Acceptance in gosaml2 in github.com/russellhaering/gosaml2

Unsigned SAML LogoutRequest Acceptance in gosaml2 in github.com/russellhaering/gosaml2...

GHSA-PCGW-QCV5-H8CH Unsigned SAML LogoutRequest Acceptance in gosaml2

Summary The ValidateEncodedLogoutRequestPOST function in gosaml2 accepts completely unsigned SAML LogoutRequest messages even when SkipSignatureValidation is set to false. When validateElementSignature returns dsig.ErrMissingSignature, the code in decodelogoutrequest.go:60-62 silently falls throu...

CVE-2021-27736

FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely...

EUVD-2023-2365

Malicious code in bioql PyPI...

CVE-2023-40178

Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logged out from an...

Cross site request forgery (csrf)

Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logged out from an...

CVE-2023-40178 @node-saml/node-saml's validatePostRequestAsync does not include checkTimestampsValidityError

Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logged out from an...

CVE-2023-40178 @node-saml/node-saml's validatePostRequestAsync does not include checkTimestampsValidityError

Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logged out from an...

CVE-2023-40178 @node-saml/node-saml's validatePostRequestAsync does not include checkTimestampsValidityError

Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logged out from an...

Insufficient Session Expiration

@node-saml/node-saml is vulnerable to Insufficient Session Expiration. The vulnerability exists due to the lack of validation checks of the current timestamp in the processValidlySignedPostRequestAsync function of saml.ts, which allows an attacker to reuse LogoutRequest XML multiple times even wh...

GHSA-VX8M-6FHW-PCCW @node-saml/node-saml's validatePostRequestAsync does not include checkTimestampsValidityError

Summary The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. Details It was noticed that in the validatePostRequestAsync flow in saml.js, the current timestamp is never checked. This could present a...

@node-saml/node-saml's validatePostRequestAsync does not include checkTimestampsValidityError

Summary The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. Details It was noticed that in the validatePostRequestAsync flow in saml.js, the current timestamp is never checked. This could present a...

CVE-2021-27736

FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely...

CVE-2021-27736

Summary: CVE-2021-27736 affects FusionAuth’s fusionauth-samlv2 library prior to 0.5.4. The issue is an XML External Entity (XXE) vulnerability in parseFromBytes, which uses javax.xml.parsers.DocumentBuilderFactory unsafely on forged AuthnRequest or LogoutRequest messages. This can lead to disclos...