passport-wsfed-saml2 vulnerable to Signature Bypass in SAML2 token

Information Please note that this is not a new disclosure, and is previously reported in our SECURITY-NOTICE.md which we removed in favor of github advisory. Overview This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity...

GHSA-PPJQ-QXHX-M25F Authentication Bypass for passport-wsfed-saml2

Overview A remote attacker can bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession of an arbitrary IDP signed WSFed assertion. Depending on the IDP used, fully unauthenticated attacks e.g without access to a valid us...