46 matches found
xml-crypto vulnerable to XML signature verification bypass due improper verification of signature/signature spoofing
Summary Default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of https://www.w3.org/TR/2008/REC-xmldsig-core-20080610/sec-CoreValidation. As such, without additional validation steps, the default configuration allows a...
CVE-2023-40178
Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logged out from an...
CVE-2023-40178 @node-saml/node-saml's validatePostRequestAsync does not include checkTimestampsValidityError
Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logged out from an...
CVE-2023-40178
Node-SAML CVE-2023-40178 is a functional issue in validatePostRequestAsync that allows LogoutRequest XML to be reused beyond NotOnOrAfter due to missing current-timestamp checks. Root cause: absence of timestamp validity checks in the LogoutRequest validation flow (e.g., validatePostRequestAsync/...
CVE-2023-40178 @node-saml/node-saml's validatePostRequestAsync does not include checkTimestampsValidityError
Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logged out from an...
CVE-2023-40178 @node-saml/node-saml's validatePostRequestAsync does not include checkTimestampsValidityError
Node-SAML is a SAML library not dependent on any frameworks that runs in Node. The lack of checking of current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they would be logged out from an...
Insufficient Session Expiration
@node-saml/node-saml is vulnerable to Insufficient Session Expiration. The vulnerability exists due to the lack of validation checks of the current timestamp in the processValidlySignedPostRequestAsync function of saml.ts, which allows an attacker to reuse LogoutRequest XML multiple times even wh...
node-saml 代码问题漏洞
node-saml is a SAML library that does not depend on any framework running in Node.js. A code issue vulnerability exists in Node-SAML versions prior to 4.0.5 that stems from not checking the current timestamp, and LogoutRequest XML can be reused multiple times...
PT-2023-27307 · Node-Saml · Node-Saml
Name of the Vulnerable Software and Affected Versions: Node-SAML versions prior to 4.0.5 Description: The lack of checking of the current timestamp allows a LogoutRequest XML to be reused multiple times even when the current time is past the NotOnOrAfter. This could impact the user where they wou...
Improper Verification Of Cryptographic Signature
Node-saml is vulnerable to improper cryptographic signature verification. A remote attacker is able to bypass SAML authentication via an arbitrary IDP signed XML element, due to improper checks for a valid top-level signature in saml.ts...
CVE-2022-39300
node SAML is a SAML 2.0 library based on the SAML implementation of passport-saml. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the...
CVE-2022-39300
CVE-2022-39300 affects node-saml (SAML 2.0 library used with passport-saml). Reports consistently describe a signature-bypass vulnerability where a remote attacker can bypass SAML authentication by manipulating an arbitrary IDP signed XML element, potentially enabling unauthenticated access depen...
node-saml 数据伪造问题漏洞
node-saml is a SAML library that does not depend on any framework running in Node.js. A data forgery issue vulnerability exists in versions prior to node-saml 4.0.0-beta.5, which can be exploited by an attacker to bypass SAML authentication on a website using passport-saml...
CVE-2022-39300 Signature bypass via multiple root elements in node-SAML
node SAML is a SAML 2.0 library based on the SAML implementation of passport-saml. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the...
CVE-2022-39300 Signature bypass via multiple root elements in node-SAML
node SAML is a SAML 2.0 library based on the SAML implementation of passport-saml. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the...
Signature bypass via multiple root elements
Impact A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks e.g without access to a valid user...
@skuhnow/directus (>=9.8.0 <=9.14.4) potentially affected by CVE-2022-39300 via node-saml (=4.0.0-beta.2)
node-saml NPM version =4.0.0-beta.2 is affected by a known vulnerability. The following packages have a transitive dependency on node-saml and may be impacted: - @skuhnow/directus =9.8.0, =9.14.4 Source cves: CVE-2022-39300 Source advisory: OSV:GHSA-5P8W-2MVW-38PV...
GHSA-5P8W-2MVW-38PV Signature bypass via multiple root elements
Impact A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks e.g without access to a valid user...
@skuhnow/directus (>=9.8.0 <=9.14.4) potentially affected by CVE-2022-39299 via node-saml (=4.0.0-beta.2)
node-saml NPM version =4.0.0-beta.2 is affected by a known vulnerability. The following packages have a transitive dependency on node-saml and may be impacted: - @skuhnow/directus =9.8.0, =9.14.4 Source cves: CVE-2022-39299 Source advisory: OSV:GHSA-M974-647V-WHV7...
Signature bypass via multiple root elements
Impact A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks e.g without access to a valid user...