Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:composer/simplesamlphp/saml2@1.7.0

Type composer

Namespace simplesamlphp

Name saml2

Version 1.7.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 4.17.0

Latest_non_vulnerable_version 4.17.0

Affected_by_vulnerabilities

url VCID-139j-7afy-wyf1

vulnerability_id VCID-139j-7afy-wyf1

summary

Improper Input Validation
Rob Richards XmlSecLibs, as used for example by SimpleSAMLphp, performs incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-3465

reference_id

reference_type

scores

value	0.01873
scoring_system	epss
scoring_elements	0.83485
published_at	2026-06-05T12:55:00Z

value	0.01873
scoring_system	epss
scoring_elements	0.8346
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-3465

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3465
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3465

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/robrichards/xmlseclibs/CVE-2019-3465.yaml

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/robrichards/xmlseclibs/CVE-2019-3465.yaml

reference_url

https://github.com/robrichards/xmlseclibs/commit/0a53d3c3aa87564910cae4ed01416441d3ae0db5

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/robrichards/xmlseclibs/commit/0a53d3c3aa87564910cae4ed01416441d3ae0db5

reference_url

https://lists.debian.org/debian-lts-announce/2019/11/msg00003.html

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2019/11/msg00003.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KID7C4AZPYYIZQIPSLANP4R2RQR6YK3

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KID7C4AZPYYIZQIPSLANP4R2RQR6YK3

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KID7C4AZPYYIZQIPSLANP4R2RQR6YK3/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KID7C4AZPYYIZQIPSLANP4R2RQR6YK3/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AB34ILMJ67CUROBOR6YPKB46VHXLOAJ4

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AB34ILMJ67CUROBOR6YPKB46VHXLOAJ4

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AB34ILMJ67CUROBOR6YPKB46VHXLOAJ4/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AB34ILMJ67CUROBOR6YPKB46VHXLOAJ4/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BBKVDUZ7G5ZOUO4BFJWLNJ6VOKBQJX5U

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BBKVDUZ7G5ZOUO4BFJWLNJ6VOKBQJX5U

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BBKVDUZ7G5ZOUO4BFJWLNJ6VOKBQJX5U/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BBKVDUZ7G5ZOUO4BFJWLNJ6VOKBQJX5U/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNFMY5RRLU63P25HEBVDO5KAVI7TX7JV

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNFMY5RRLU63P25HEBVDO5KAVI7TX7JV

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNFMY5RRLU63P25HEBVDO5KAVI7TX7JV/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNFMY5RRLU63P25HEBVDO5KAVI7TX7JV/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ESKJTWLE7QZBQ3EKMYXKMBQG3JDEJWM6

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ESKJTWLE7QZBQ3EKMYXKMBQG3JDEJWM6

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ESKJTWLE7QZBQ3EKMYXKMBQG3JDEJWM6/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ESKJTWLE7QZBQ3EKMYXKMBQG3JDEJWM6/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HBE2SJSXG7J4XYLJ2H6HC2VPPOG2OMUN

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HBE2SJSXG7J4XYLJ2H6HC2VPPOG2OMUN

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HBE2SJSXG7J4XYLJ2H6HC2VPPOG2OMUN/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HBE2SJSXG7J4XYLJ2H6HC2VPPOG2OMUN/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAWOVYLZKYDCQBLQEJCFAAD3KQTBPHXE

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAWOVYLZKYDCQBLQEJCFAAD3KQTBPHXE

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAWOVYLZKYDCQBLQEJCFAAD3KQTBPHXE/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAWOVYLZKYDCQBLQEJCFAAD3KQTBPHXE/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCSR3V6LNWJAD37VQB6M2K7P4RQSCVFG

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCSR3V6LNWJAD37VQB6M2K7P4RQSCVFG

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCSR3V6LNWJAD37VQB6M2K7P4RQSCVFG/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCSR3V6LNWJAD37VQB6M2K7P4RQSCVFG/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBSSRV5Q7JFCYO46A3EN624UZ4KXFQ2M

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBSSRV5Q7JFCYO46A3EN624UZ4KXFQ2M

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBSSRV5Q7JFCYO46A3EN624UZ4KXFQ2M/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBSSRV5Q7JFCYO46A3EN624UZ4KXFQ2M/

reference_url

https://seclists.org/bugtraq/2019/Nov/8

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://seclists.org/bugtraq/2019/Nov/8

reference_url

https://simplesamlphp.org/security/201911-01

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://simplesamlphp.org/security/201911-01

reference_url

https://www.debian.org/security/2019/dsa-4560

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2019/dsa-4560

reference_url

https://www.tenable.com/security/tns-2019-09

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.tenable.com/security/tns-2019-09

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944107
reference_id	944107
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944107

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-3465

reference_id

CVE-2019-3465

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-3465

reference_url

https://github.com/advisories/GHSA-pqm6-cgwr-x6pf

reference_id

GHSA-pqm6-cgwr-x6pf

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-pqm6-cgwr-x6pf

fixed_packages

url pkg:composer/simplesamlphp/saml2@2.0.0

purl pkg:composer/simplesamlphp/saml2@2.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6c55-4pyx-ckbx

vulnerability	VCID-8b8r-g7e2-qfb2

vulnerability	VCID-ma9b-k5br-ffhd

vulnerability	VCID-ucwf-xdma-h7fc

vulnerability	VCID-v3bx-f3um-8ubc

vulnerability	VCID-wbt9-snjj-uuea

vulnerability	VCID-xx6m-pvgs-puga

vulnerability	VCID-zemd-kbb3-s3cr

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@2.0.0

aliases CVE-2019-3465, GHSA-pqm6-cgwr-x6pf

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-139j-7afy-wyf1

url VCID-6c55-4pyx-ckbx

vulnerability_id VCID-6c55-4pyx-ckbx

summary

The SimpleSAMLphp SAML2 library incorrectly verifies signatures for HTTP-Redirect binding
There's a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message.

I believe that it exists for v4 only. I have not yet developed a PoC.

V5 is well designed and instead builds the signed query from the same message that will be consumed.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-27773

reference_id

reference_type

scores

value	0.00157
scoring_system	epss
scoring_elements	0.36254
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-27773

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27773
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27773

reference_url

https://github.com/simplesamlphp/saml2

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/simplesamlphp/saml2

reference_url

https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-11T19:26:31Z/

url

https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113

reference_url

https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-11T19:26:31Z/

url

https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217

reference_url

https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-11T19:26:31Z/

url

https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0

reference_url

https://lists.debian.org/debian-lts-announce/2025/05/msg00013.html

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/05/msg00013.html

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100595
reference_id	1100595
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100595

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-27773

reference_id

CVE-2025-27773

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-27773

reference_url	https://github.com/advisories/GHSA-46r4-f8gj-xg56
reference_id	GHSA-46r4-f8gj-xg56
reference_type
scores
url	https://github.com/advisories/GHSA-46r4-f8gj-xg56

reference_url

https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56

reference_id

GHSA-46r4-f8gj-xg56

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-11T19:26:31Z/

url

https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56

fixed_packages

url	pkg:composer/simplesamlphp/saml2@4.17.0
purl	pkg:composer/simplesamlphp/saml2@4.17.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@4.17.0

url	pkg:composer/simplesamlphp/saml2@5.0.0-alpha.20
purl	pkg:composer/simplesamlphp/saml2@5.0.0-alpha.20
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@5.0.0-alpha.20

aliases CVE-2025-27773, GHSA-46r4-f8gj-xg56

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6c55-4pyx-ckbx

url VCID-8b8r-g7e2-qfb2

vulnerability_id VCID-8b8r-g7e2-qfb2

summary

SimpleSAMLphp SAML2 has an XXE in parsing SAML messages
Summary

When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-52806

reference_id

reference_type

scores

value	0.00183
scoring_system	epss
scoring_elements	0.39843
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-52806

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52806
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52806

reference_url

https://github.com/simplesamlphp/saml2

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/simplesamlphp/saml2

reference_url

https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-02T19:10:45Z/

url

https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088904
reference_id	1088904
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088904

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-52806

reference_id

CVE-2024-52806

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-52806

reference_url	https://github.com/advisories/GHSA-pxm4-r5ph-q2m2
reference_id	GHSA-pxm4-r5ph-q2m2
reference_type
scores
url	https://github.com/advisories/GHSA-pxm4-r5ph-q2m2

reference_url

https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2

reference_id

GHSA-pxm4-r5ph-q2m2

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-02T19:10:45Z/

url

https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2

fixed_packages

url pkg:composer/simplesamlphp/saml2@4.6.14

purl pkg:composer/simplesamlphp/saml2@4.6.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6c55-4pyx-ckbx

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@4.6.14

aliases CVE-2024-52806, GHSA-pxm4-r5ph-q2m2

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8b8r-g7e2-qfb2

url VCID-ma9b-k5br-ffhd

vulnerability_id VCID-ma9b-k5br-ffhd

summary

SimpleSAMLphp xml-common XXE vulnerability
When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-52596

reference_id

reference_type

scores

value	0.00218
scoring_system	epss
scoring_elements	0.44529
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-52596

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52596
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52596

reference_url

https://github.com/simplesamlphp/xml-common

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/simplesamlphp/xml-common

reference_url

https://github.com/simplesamlphp/xml-common/commit/fa4ade391c3194466acf5fbfd5d2ecdbf5e831f5

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-02T18:32:34Z/

url

https://github.com/simplesamlphp/xml-common/commit/fa4ade391c3194466acf5fbfd5d2ecdbf5e831f5

reference_url

https://lists.debian.org/debian-lts-announce/2024/12/msg00001.html

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2024/12/msg00001.html

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088904
reference_id	1088904
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088904

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-52596

reference_id

CVE-2024-52596

reference_type

scores

value	8.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-52596

reference_url	https://github.com/advisories/GHSA-2x65-fpch-2fcm
reference_id	GHSA-2x65-fpch-2fcm
reference_type
scores
url	https://github.com/advisories/GHSA-2x65-fpch-2fcm

reference_url

https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm

reference_id

GHSA-2x65-fpch-2fcm

reference_type

scores

value	8.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-02T18:32:34Z/

url

https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm

fixed_packages

url pkg:composer/simplesamlphp/saml2@4.6.14

purl pkg:composer/simplesamlphp/saml2@4.6.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6c55-4pyx-ckbx

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@4.6.14

aliases CVE-2024-52596, GHSA-2x65-fpch-2fcm

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ma9b-k5br-ffhd

url VCID-ucwf-xdma-h7fc

vulnerability_id VCID-ucwf-xdma-h7fc

summary

Injection Vulnerability
The SAML2 library in `SimpleSAMLphp` has a Regular Expression Denial of Service vulnerability for fraction-of-seconds data in a timestamp.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-6519

reference_id

reference_type

scores

value	0.00467
scoring_system	epss
scoring_elements	0.64841
published_at	2026-06-05T12:55:00Z

value	0.00467
scoring_system	epss
scoring_elements	0.64799
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-6519

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2018-6519.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2018-6519.yaml

reference_url

https://github.com/simplesamlphp/simplesamlphp

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/simplesamlphp/simplesamlphp

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-6519

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-6519

reference_url

https://simplesamlphp.org/security/201801-01

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://simplesamlphp.org/security/201801-01

reference_url

https://www.debian.org/security/2018/dsa-4127

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2018/dsa-4127

fixed_packages

url pkg:composer/simplesamlphp/saml2@1.10.4

purl pkg:composer/simplesamlphp/saml2@1.10.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-139j-7afy-wyf1

vulnerability	VCID-6c55-4pyx-ckbx

vulnerability	VCID-8b8r-g7e2-qfb2

vulnerability	VCID-ma9b-k5br-ffhd

vulnerability	VCID-wbt9-snjj-uuea

vulnerability	VCID-xx6m-pvgs-puga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@1.10.4

url pkg:composer/simplesamlphp/saml2@2.3.5

purl pkg:composer/simplesamlphp/saml2@2.3.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6c55-4pyx-ckbx

vulnerability	VCID-8b8r-g7e2-qfb2

vulnerability	VCID-ma9b-k5br-ffhd

vulnerability	VCID-v3bx-f3um-8ubc

vulnerability	VCID-wbt9-snjj-uuea

vulnerability	VCID-xx6m-pvgs-puga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@2.3.5

url pkg:composer/simplesamlphp/saml2@3.1.1

purl pkg:composer/simplesamlphp/saml2@3.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6c55-4pyx-ckbx

vulnerability	VCID-8b8r-g7e2-qfb2

vulnerability	VCID-ma9b-k5br-ffhd

vulnerability	VCID-wbt9-snjj-uuea

vulnerability	VCID-xx6m-pvgs-puga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@3.1.1

aliases CVE-2018-6519, GHSA-hhm8-2j4g-mpgg

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ucwf-xdma-h7fc

url VCID-wbt9-snjj-uuea

vulnerability_id VCID-wbt9-snjj-uuea

summary

Improper signature validation
The `XmlSecLibs` library as used in the saml2 library in SimpleSAMLphp incorrectly verifies signatures on SAML assertions, allowing a remote attacker to construct a crafted SAML assertion on behalf of an Identity Provider that would pass as cryptographically valid, thereby allowing them to impersonate a user from that Identity Provider, aka a key confusion issue.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-7644

reference_id

reference_type

scores

value	0.00213
scoring_system	epss
scoring_elements	0.43902
published_at	2026-06-05T12:55:00Z

value	0.00213
scoring_system	epss
scoring_elements	0.43832
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-7644

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2018-7644.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2018-7644.yaml

reference_url

https://github.com/simplesamlphp/simplesamlphp

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/simplesamlphp/simplesamlphp

reference_url

https://simplesamlphp.org/security/201802-01

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://simplesamlphp.org/security/201802-01

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-7644

reference_id

CVE-2018-7644

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-7644

fixed_packages

url pkg:composer/simplesamlphp/saml2@1.10.5

purl pkg:composer/simplesamlphp/saml2@1.10.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-139j-7afy-wyf1

vulnerability	VCID-6c55-4pyx-ckbx

vulnerability	VCID-8b8r-g7e2-qfb2

vulnerability	VCID-ma9b-k5br-ffhd

vulnerability	VCID-xx6m-pvgs-puga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@1.10.5

url pkg:composer/simplesamlphp/saml2@2.3.7

purl pkg:composer/simplesamlphp/saml2@2.3.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6c55-4pyx-ckbx

vulnerability	VCID-8b8r-g7e2-qfb2

vulnerability	VCID-ma9b-k5br-ffhd

vulnerability	VCID-v3bx-f3um-8ubc

vulnerability	VCID-xx6m-pvgs-puga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@2.3.7

url pkg:composer/simplesamlphp/saml2@3.1.3

purl pkg:composer/simplesamlphp/saml2@3.1.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6c55-4pyx-ckbx

vulnerability	VCID-8b8r-g7e2-qfb2

vulnerability	VCID-ma9b-k5br-ffhd

vulnerability	VCID-xx6m-pvgs-puga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@3.1.3

aliases CVE-2018-7644, GHSA-923w-2xv2-7pr8

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wbt9-snjj-uuea

url VCID-xx6m-pvgs-puga

vulnerability_id VCID-xx6m-pvgs-puga

summary

Incorrect signature validation
An incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-7711

reference_id

reference_type

scores

value	0.0032
scoring_system	epss
scoring_elements	0.55317
published_at	2026-06-04T12:55:00Z

value	0.0032
scoring_system	epss
scoring_elements	0.55374
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-7711

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7711
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7711

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2018-7711.yaml

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2018-7711.yaml

reference_url

https://github.com/simplesamlphp/saml2/commit/4f6af7f69f29df8555a18b9bb7b646906b45924d

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/simplesamlphp/saml2/commit/4f6af7f69f29df8555a18b9bb7b646906b45924d

reference_url

https://lists.debian.org/debian-lts-announce/2018/03/msg00017.html

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2018/03/msg00017.html

reference_url

https://simplesamlphp.org/security/201803-01

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://simplesamlphp.org/security/201803-01

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-7711

reference_id

CVE-2018-7711

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-7711

fixed_packages

url pkg:composer/simplesamlphp/saml2@1.10.6

purl pkg:composer/simplesamlphp/saml2@1.10.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-139j-7afy-wyf1

vulnerability	VCID-6c55-4pyx-ckbx

vulnerability	VCID-8b8r-g7e2-qfb2

vulnerability	VCID-ma9b-k5br-ffhd

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@1.10.6

url pkg:composer/simplesamlphp/saml2@2.3.8

purl pkg:composer/simplesamlphp/saml2@2.3.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6c55-4pyx-ckbx

vulnerability	VCID-8b8r-g7e2-qfb2

vulnerability	VCID-ma9b-k5br-ffhd

vulnerability	VCID-v3bx-f3um-8ubc

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@2.3.8

url pkg:composer/simplesamlphp/saml2@3.1.4

purl pkg:composer/simplesamlphp/saml2@3.1.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6c55-4pyx-ckbx

vulnerability	VCID-8b8r-g7e2-qfb2

vulnerability	VCID-ma9b-k5br-ffhd

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@3.1.4

aliases CVE-2018-7711, GHSA-g888-g2pp-82hf

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xx6m-pvgs-puga

url VCID-zemd-kbb3-s3cr

vulnerability_id VCID-zemd-kbb3-s3cr

summary

Incorrect signature verification
An incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2016-9814

reference_id

reference_type

scores

value	0.00825
scoring_system	epss
scoring_elements	0.74858
published_at	2026-06-05T12:55:00Z

value	0.00825
scoring_system	epss
scoring_elements	0.74827
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2016-9814

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9814
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9814

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2016-9814.yaml

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2016-9814.yaml

reference_url	https://github.com/simplesamlphp/saml2/commit/7008b0916426212c1cc2fc238b38ab9ebff0748c
reference_id
reference_type
scores
url	https://github.com/simplesamlphp/saml2/commit/7008b0916426212c1cc2fc238b38ab9ebff0748c

reference_url	https://github.com/simplesamlphp/saml2/pull/81
reference_id
reference_type
scores
url	https://github.com/simplesamlphp/saml2/pull/81

reference_url

https://github.com/simplesamlphp/simplesamlphp

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/simplesamlphp/simplesamlphp

reference_url

https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2016-9814

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2016-9814

reference_url

https://simplesamlphp.org/security/201612-01

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://simplesamlphp.org/security/201612-01

reference_url

http://www.securityfocus.com/bid/94730

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

http://www.securityfocus.com/bid/94730

fixed_packages

url pkg:composer/simplesamlphp/saml2@1.8.1

purl pkg:composer/simplesamlphp/saml2@1.8.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-139j-7afy-wyf1

vulnerability	VCID-6c55-4pyx-ckbx

vulnerability	VCID-8b8r-g7e2-qfb2

vulnerability	VCID-ma9b-k5br-ffhd

vulnerability	VCID-ucwf-xdma-h7fc

vulnerability	VCID-wbt9-snjj-uuea

vulnerability	VCID-xx6m-pvgs-puga

vulnerability	VCID-zemd-kbb3-s3cr

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@1.8.1

url pkg:composer/simplesamlphp/saml2@1.9.1

purl pkg:composer/simplesamlphp/saml2@1.9.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-139j-7afy-wyf1

vulnerability	VCID-6c55-4pyx-ckbx

vulnerability	VCID-8b8r-g7e2-qfb2

vulnerability	VCID-ma9b-k5br-ffhd

vulnerability	VCID-ucwf-xdma-h7fc

vulnerability	VCID-wbt9-snjj-uuea

vulnerability	VCID-xx6m-pvgs-puga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@1.9.1

url pkg:composer/simplesamlphp/saml2@1.10.3

purl pkg:composer/simplesamlphp/saml2@1.10.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-139j-7afy-wyf1

vulnerability	VCID-6c55-4pyx-ckbx

vulnerability	VCID-8b8r-g7e2-qfb2

vulnerability	VCID-ma9b-k5br-ffhd

vulnerability	VCID-ucwf-xdma-h7fc

vulnerability	VCID-wbt9-snjj-uuea

vulnerability	VCID-xx6m-pvgs-puga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@1.10.3

url pkg:composer/simplesamlphp/saml2@2.3.3

purl pkg:composer/simplesamlphp/saml2@2.3.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6c55-4pyx-ckbx

vulnerability	VCID-8b8r-g7e2-qfb2

vulnerability	VCID-ma9b-k5br-ffhd

vulnerability	VCID-ucwf-xdma-h7fc

vulnerability	VCID-v3bx-f3um-8ubc

vulnerability	VCID-wbt9-snjj-uuea

vulnerability	VCID-xx6m-pvgs-puga

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@2.3.3

aliases CVE-2016-9814, GHSA-r8v4-7vwj-983x

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zemd-kbb3-s3cr

Fixing_vulnerabilities

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/saml2@1.7.0

Package Instance