CVE-2020-5226 Cross-site scripting in SimpleSAMLphp

Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a...

CVE-2020-5226

CVE-2020-5226 affects SimpleSAMLphp prior to 1.18.4. The vulnerability stems from www/errorreport.php where error reports are sent via the SimpleSAML\Utils\EMail wrapper. Starting with 1.18.0, Twig-based email templates were introduced; Twig escapes variables, but the older plain PHP template did...

CVE-2020-5226

Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a...

DEBIAN-CVE-2020-5225

Log injection in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under specific circumstances,...

CVE-2020-5225

Log injection in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under specific circumstances,...

CVE-2020-5225

Log injection in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under specific circumstances,...

CVE-2020-5225

Log injection in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under specific circumstances,...

UBUNTU-CVE-2020-5225

Log injection in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under specific circumstances,...

Design/Logic Flaw

Log injection in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under specific circumstances,...

CVE-2020-5225 Log injection in SimpleSAMLphp

Log injection in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under specific circumstances,...

CVE-2020-5225

The CVE-2020-5225 issue affects SimpleSAMLphp up to version 1.18.3, where the www/errorreport.php endpoint did not sanitize the reportID parameter, allowing an attacker to inject newline characters and append arbitrary log lines when the file logging handler is used. This could lead to log inject...

CVE-2020-5225

Log injection in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under specific circumstances,...

[R1] SimpleSAMLPHP Stand-alone Patch Available for Tenable.sc versions 5.9.x to 5.12.x

Tenable.sc leverages third-party software to help provide underlying functionality. One of the third-party components SimpleSAMLPHP was found to contain vulnerabilities, and updated versions have been made available by the providers. Out of caution and in line with good practice, Tenable opted to...

[R1] Tenable.sc 5.13.0 Fixes Multiple Third-Party Vulnerabilities

Tenable.sc leverages third-party software to help provide underlying functionality. Three separate third-party components OpenSSL, Apache HTTP Server, SimpleSAMLphp were found to contain vulnerabilities, and updated versions have been made available by the providers. Out of caution and in line wi...

Fedora 29 : php-robrichards-xmlseclibs3 (2019-be01267416)

3.0.4 CVE-2019-3465 / https://simplesamlphp.org/security/201911-01 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing...

GHSA-PQM6-CGWR-X6PF Signature validation bypass in XmlSecLibs

Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message...

Signature validation bypass in XmlSecLibs

Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message...

SQL Injection in SimpleSAMLphp

The proxystatistics module before 3.1.0 for SimpleSAMLphp allows SQL Injection in lib/Auth/Process/DatabaseCommand.php...

GHSA-852Q-XXJ4-X2RX SQL Injection in SimpleSAMLphp

The proxystatistics module before 3.1.0 for SimpleSAMLphp allows SQL Injection in lib/Auth/Process/DatabaseCommand.php...

CVE-2019-3465

Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message...