216 matches found
CVE-2016-8638
A vulnerability was found in ipsilon in the SAML2 provider's handling of sessions. An attacker able to hit the logout URL could determine what service providers other users are logged in to and terminate their sessions...
CVE-2015-5301
providers/saml2/admin.py in the Identity Provider IdP server in Ipsilon 0.1.0 before 1.0.2 and 1.1.x before 1.1.1 does not properly check permissions, which allows remote authenticated users to cause a denial of service by deleting a SAML2 Service Provider SP...
PYSEC-2015-41
providers/saml2/admin.py in the Identity Provider IdP server in Ipsilon 0.1.0 before 1.0.1 does not properly check permissions to update the SAML2 Service Provider SP owner, which allows remote authenticated users to cause a denial of service via a duplicate SP name...
PYSEC-2015-42
providers/saml2/admin.py in the Identity Provider IdP server in Ipsilon 0.1.0 before 1.0.2 and 1.1.x before 1.1.1 does not properly check permissions, which allows remote authenticated users to cause a denial of service by deleting a SAML2 Service Provider SP...
Code injection
providers/saml2/admin.py in the Identity Provider IdP server in Ipsilon 0.1.0 before 1.0.2 and 1.1.x before 1.1.1 does not properly check permissions, which allows remote authenticated users to cause a denial of service by deleting a SAML2 Service Provider SP...
Code injection
providers/saml2/admin.py in the Identity Provider IdP server in Ipsilon 0.1.0 before 1.0.1 does not properly check permissions to update the SAML2 Service Provider SP owner, which allows remote authenticated users to cause a denial of service via a duplicate SP name...
CVE-2015-5301
providers/saml2/admin.py in the Identity Provider IdP server in Ipsilon 0.1.0 before 1.0.2 and 1.1.x before 1.1.1 does not properly check permissions, which allows remote authenticated users to cause a denial of service by deleting a SAML2 Service Provider SP...
CVE-2015-5301
CVE-2015-5301 affects Ipsilon IdP (providers/saml2/admin.py). In Ipsilon 0.1.0–1.0.2 and 1.1.x–1.1.1, incorrect permission checks allow remote authenticated users to delete a SAML2 Service Provider (SP) and cause a denial of service. Affected versions are 0.1.0 before 1.0.2 and 1.1.x before 1.1.1...
CVE-2015-5217
CVE-2015-5217 affects Ipsilon 0.1.0 prior to 1.0.1. The IdP server’s providers/saml2/admin.py fails to properly enforce permission checks when updating the SAML2 SP owner, enabling remote authenticated users to trigger a denial of service by creating a duplicate SP name. Affected: Ipsilon IdP (SA...
Shibboleth authentication - Moderately critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-129
Shibboleth authentication module allows users to log in and get permissions based on federated SAML2 authentication. The module didn't filter the text that is displayed as a login link. This vulnerability was mitigated by the fact that an attacker must have a role with the permission Administer...
[SECURITY] Fedora 22 Update: lasso-2.4.1-3.fc22
Lasso is a library that implements the Liberty Alliance Single Sign On standards, including the SAML and SAML2 specifications. It allows to handle the whole life-cycle of SAML based Federations, and provides bindings for multiple languages...
Security: Wrong security context loaded when using SAML2 STS Login Module
It was found that when processing undefined security domains, the org.jboss.security.plugins.mapping.JBossMappingManager implementation would fall back to the default security domain if it was available. A user with valid credentials in the defined default domain, with a role that is valid in the...
[SECURITY] Fedora 20 Update: lasso-2.4.1-1.fc20
Lasso is a library that implements the Liberty Alliance Single Sign On standards, including the SAML and SAML2 specifications. It allows to handle the whole life-cycle of SAML based Federations, and provides bindings for multiple languages...
RHEL 5 : Red Hat JBoss Enterprise Application Platform 6.3.3 update (Moderate) (RHSA-2015:0216)
The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2015:0216 advisory. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that t...
SA-CONTRIB-2015-028 - Shibboleth Authentication - Cross Site Request Forgery (CSRF)
Shibboleth Authentication module allows users to log in and get permissions based on federated SAML2 authentication. The roles that are assigned to users are based on a matching list. A malicious attacker can delete matching rules from the list by getting the administrator's browser to make a...
SA-CONTRIB-2009-070 - Shibboleth authentication - Impersonation, privilege escalation
The Shibboleth authentication module provides user authentication and authorisation based on the Shibboleth Web Single Sign-on system. The module does not properly handle the changes of the underlying Shibboleth session. This can result in impersonation and possible privilege escalation if a user...