Lucene search
K

216 matches found

Positive Technologies
Positive Technologies
added 2023/09/19 12:0 a.m.5 views

PT-2023-28147 · Sustainsys +1 · Sustainsys.Saml2 +1

Name of the Vulnerable Software and Affected Versions: Sustainsys.Saml2 versions prior to 1.0.3 Sustainsys.Saml2 versions prior to 2.9.2 Description: The Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider. When a response is...

7.5CVSS6.2AI score0.00601EPSS
Exploits0References13
CNNVD
CNNVD
added 2023/09/19 12:0 a.m.4 views

SAML Security Vulnerabilities

SAML is a library for Ross Kinder individual developers that contains a partial implementation of the saml standard in golang. That is, it allows third parties to authenticate your users, or allows third parties to rely on us to authenticate their users. A security vulnerability exists in...

7.5CVSS6.5AI score0.00601EPSS
Exploits0References4
Veracode
Veracode
added 2023/06/27 1:41 p.m.16 views

Authentication Bypass

passport-wsfed-saml2 is vulnerable to Authentication Bypass. The vulnerability exists because the SAML signature validation in saml.js does not ensure that the Signature tag is in the proper location inside the Assertion tag, which allows an attacker to bypass permission checks and gain access to...

6.9AI score
Exploits0
Github Security Blog
Github Security Blog
added 2023/06/21 10:0 p.m.19 views

passport-wsfed-saml2 vulnerable to Signature Bypass in SAML2 token

Information Please note that this is not a new disclosure, and is previously reported in our SECURITY-NOTICE.md which we removed in favor of github advisory. Overview This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity...

9.3CVSS6.7AI score0.01378EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2023/06/21 10:0 p.m.59 views

GHSA-77FW-RF4V-VFP9 passport-wsfed-saml2 vulnerable to Signature Bypass in SAML2 token

Information Please note that this is not a new disclosure, and is previously reported in our SECURITY-NOTICE.md which we removed in favor of github advisory. Overview This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity...

8.1CVSS8AI score0.01378EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2023/06/21 12:0 a.m.7 views

PT-2023-32981 · Unknown · Passport-Wsfed-Saml2

Name of the Vulnerable Software and Affected Versions: passport-wsfed-saml2 versions prior to 3.0.10 Description: A vulnerability was found in the validation of a SAML signature, where the validation doesn't ensure that the Signature tag is at the proper location inside an Assertion tag. This lea...

6.9AI score
Exploits0References5
Snyk
Snyk
added 2023/04/18 4:0 p.m.3 views

Improper Certificate Validation

Amendment This was deemed not a vulnerability. Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to missing SSL Certificate Validation. Note: The vendor does not consider this a vulnerability because the report is only about use of certificates at th...

9.8CVSS6.8AI score0.00465EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2023/03/24 11:15 p.m.2 views

CVE-2022-45597

ComponentSpace.Saml2 4.4.0 Missing SSL Certificate Validation. NOTE: the vendor does not consider this a vulnerability because the report is only about use of certificates at the application layer not the transport layer and "Certificates are exchanged in a controlled fashion between entities...

9.8CVSS7.2AI score0.00465EPSS
Exploits0References4
Veracode
Veracode
added 2022/12/14 3:21 a.m.22 views

Authentication Bypass

passport-wsfed-saml2 is vulnerable to authentication bypass. The vulnerability exists in the retrieveToken function of wsfederation.js due to a lack of proper validation when more than one assertion is inside a token response for WS-Fed, which allows an attacker to bypass WSFed authentication...

7.5CVSS7.4AI score0.00751EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2022/12/13 5:16 p.m.26 views

GHSA-PPJQ-QXHX-M25F Authentication Bypass for passport-wsfed-saml2

Overview A remote attacker can bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession of an arbitrary IDP signed WSFed assertion. Depending on the IDP used, fully unauthenticated attacks e.g without access to a valid us...

5.3CVSS6.5AI score0.00751EPSS
Exploits0References4
NVD
NVD
added 2022/12/13 8:15 a.m.43 views

CVE-2022-23505

Passport-wsfed-saml2 is a ws-federation protocol and SAML2 tokens authentication provider for Passport. In versions prior to 4.6.3, a remote attacker may be able to bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession...

7.5CVSS0.00751EPSS
Exploits0References1
Prion
Prion
added 2022/12/13 8:15 a.m.21 views

Authentication flaw

Passport-wsfed-saml2 is a ws-federation protocol and SAML2 tokens authentication provider for Passport. In versions prior to 4.6.3, a remote attacker may be able to bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession...

5CVSS7.7AI score0.00751EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2022/12/13 7:4 a.m.37 views

CVE-2022-23505 Passport-wsfed-saml2 vulnerable to Authentication Bypass for WSFed authentication

Passport-wsfed-saml2 is a ws-federation protocol and SAML2 tokens authentication provider for Passport. In versions prior to 4.6.3, a remote attacker may be able to bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession...

5.3CVSS7.9AI score0.00751EPSS
Exploits0References1
CVE
CVE
added 2022/12/13 7:4 a.m.69 views

CVE-2022-23505

Passport-wsfed-saml2 (Node.js Passport strategy) prior to 4.6.3 is vulnerable to authentication bypass: an attacker who possesses an arbitrary IDP-signed WSFed assertion may bypass WSFed authentication on websites using the library. Depending on the IDP, fully unauthenticated (no valid user) atta...

7.5CVSS6.4AI score0.00751EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2022/12/13 12:0 a.m.8 views

PT-2022-16038 · Unknown · Passport-Wsfed-Saml2

Name of the Vulnerable Software and Affected Versions: Passport-wsfed-saml2 versions prior to 4.6.3 Description: A remote attacker may be able to bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession of an arbitrary ID...

7.5CVSS7.5AI score0.00751EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2022/05/20 11:37 p.m.77 views

CVE-2018-7711

HTTPRedirect.php in the saml2 library in SimpleSAMLphp before 1.15.4 has an incorrect check of return values in the signature validation utilities, allowing an attacker to get invalid signatures accepted as valid by forcing an error during validation. This occurs because of a dependency on PHP...

8.1CVSS3.6AI score0.01202EPSS
Exploits0References1
OSV
OSV
added 2022/05/17 4:1 a.m.6 views

GHSA-6875-FF47-R6P6 Ipsilon denial of service via a duplicate SP name

providers/saml2/admin.py in the Identity Provider IdP server in Ipsilon 0.1.0 before 1.0.1 does not properly check permissions to update the SAML2 Service Provider SP owner, which allows remote authenticated users to cause a denial of service via a duplicate SP name...

4CVSS6AI score0.013EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2022/05/17 4:1 a.m.13 views

Ipsilon denial of service via a duplicate SP name

providers/saml2/admin.py in the Identity Provider IdP server in Ipsilon 0.1.0 before 1.0.1 does not properly check permissions to update the SAML2 Service Provider SP owner, which allows remote authenticated users to cause a denial of service via a duplicate SP name...

4CVSS6.3AI score0.013EPSS
Exploits0References7Affected Software1
OSV
OSV
added 2022/05/17 3:27 a.m.5 views

GHSA-9QP4-79Q8-58PR Ipsilon denial of service by deleting a SAML2 Service Provider (SP)

providers/saml2/admin.py in the Identity Provider IdP server in Ipsilon 0.1.0 before 1.0.2 and 1.1.x before 1.1.1 does not properly check permissions, which allows remote authenticated users to cause a denial of service by deleting a SAML2 Service Provider SP...

5.5CVSS6AI score0.01493EPSS
Exploits0References8
Github Security Blog
Github Security Blog
added 2022/05/17 3:27 a.m.9 views

Ipsilon denial of service by deleting a SAML2 Service Provider (SP)

providers/saml2/admin.py in the Identity Provider IdP server in Ipsilon 0.1.0 before 1.0.2 and 1.1.x before 1.1.1 does not properly check permissions, which allows remote authenticated users to cause a denial of service by deleting a SAML2 Service Provider SP...

5.5CVSS6.3AI score0.01493EPSS
Exploits0References8Affected Software1
Rows per page
Query Builder