Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/53258?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/53258?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.1", "type": "composer", "namespace": "simplesamlphp", "name": "simplesamlphp", "version": "1.14.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.0.15", "latest_non_vulnerable_version": "2.3.4", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52175?format=api", "vulnerability_id": "VCID-2etk-v7gt-pqhn", "summary": "Link injection in SimpleSAMLphp\n### Background\nSeveral scripts part of SimpleSAMLphp display a web page with links obtained from the request parameters. This allows us to enhance usability, as the users are presented with links they can follow after completing a certain action, like logging out.\n\n### Description\nThe following scripts were not checking the URLs obtained via the HTTP request before displaying them as the target of links that the user may click on:\n\n- `www/logout.php`\n- `modules/core/www/no_cookie.php`\n\nThe issue allowed attackers to display links targeting a malicious website inside a trusted site running SimpleSAMLphp, due to the lack of security checks involving the `link_href` and `retryURL` HTTP parameters, respectively. The issue was resolved by including a verification of the URLs received in the request against a white list of websites specified in the `trusted.url.domains` configuration option.\n\n### Affected versions\nAll SimpleSAMLphp versions prior to 1.14.4.\n\n### Impact\nA remote attacker could craft a link pointing to a trusted website running SimpleSAMLphp, including a parameter pointing to a malicious website, and try to fool the victim into visiting that website by clicking on a link in the page presented by SimpleSAMLphp.\n\n### Resolution\nUpgrade to the latest version.\n\n### Credit\nThis security issue was discovered and reported by John Page (hyp3rlinx).", "references": [ { "reference_url": "https://snyk.io/vuln/SNYK-PHP-SIMPLESAMLPHPSIMPLESAMLPHP-70160", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/SNYK-PHP-SIMPLESAMLPHPSIMPLESAMLPHP-70160" }, { "reference_url": "https://github.com/advisories/GHSA-2r3v-q9x3-7g46", "reference_id": "GHSA-2r3v-q9x3-7g46", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2r3v-q9x3-7g46" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-2r3v-q9x3-7g46", "reference_id": "GHSA-2r3v-q9x3-7g46", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-2r3v-q9x3-7g46" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52749?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-96db-3jav-tkay" }, { "vulnerability": "VCID-b3fn-bnh5-qyg4" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-d1d1-jng1-4fe6" }, { "vulnerability": "VCID-dgs2-3xbu-c3ff" }, { "vulnerability": "VCID-dvwj-zd42-nbhe" }, { "vulnerability": "VCID-gwtm-bdae-3ufj" }, { "vulnerability": "VCID-hhq1-kxga-87ea" }, { "vulnerability": "VCID-k5d6-k216-8ub8" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-pskx-9d46-bfdt" }, { "vulnerability": "VCID-ugw3-xgan-k3fm" }, { "vulnerability": "VCID-va8h-3qxg-uqh2" }, { "vulnerability": "VCID-yn8q-d76k-q3h2" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.4" } ], "aliases": [ "GHSA-2r3v-q9x3-7g46", "GMS-2020-602" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2etk-v7gt-pqhn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38134?format=api", "vulnerability_id": "VCID-3d8m-wtww-2yah", "summary": "Link injection\n`www/logout.php` and `modules/core/www/no_cookie.php` are not checking the URLs obtained via the HTTP request before displaying them as the target of links that the user may click on. It allows attackers to display links targeting a malicious website inside a trusted site running SimpleSAMLphp, due to the lack of security checks involving the `link_href` and `retryURL` HTTP parameters, respectively.", "references": [ { "reference_url": "https://simplesamlphp.org/security/201606-01", "reference_id": "", "reference_type": "", "scores": [], "url": "https://simplesamlphp.org/security/201606-01" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52749?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-96db-3jav-tkay" }, { "vulnerability": "VCID-b3fn-bnh5-qyg4" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-d1d1-jng1-4fe6" }, { "vulnerability": "VCID-dgs2-3xbu-c3ff" }, { "vulnerability": "VCID-dvwj-zd42-nbhe" }, { "vulnerability": "VCID-gwtm-bdae-3ufj" }, { "vulnerability": "VCID-hhq1-kxga-87ea" }, { "vulnerability": "VCID-k5d6-k216-8ub8" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-pskx-9d46-bfdt" }, { "vulnerability": "VCID-ugw3-xgan-k3fm" }, { "vulnerability": "VCID-va8h-3qxg-uqh2" }, { "vulnerability": "VCID-yn8q-d76k-q3h2" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.4" } ], "aliases": [ "201606-01" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3d8m-wtww-2yah" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39369?format=api", "vulnerability_id": "VCID-4gux-4jrc-w7ce", "summary": "URL Redirection to Untrusted Site (Open Redirect)\n`SimpleSAMLphp` allows remote attackers to bypass an open redirect protection mechanism via crafted authority data in a URL.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-6520", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37315", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37309", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37218", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-6520" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6520", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6520" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2018-6520.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2018-6520.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/issues/1473", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/issues/1473" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6520", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6520" }, { "reference_url": "https://simplesamlphp.org/security/201801-02", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201801-02" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54979?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.15.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-96db-3jav-tkay" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-hhq1-kxga-87ea" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.15.2" } ], "aliases": [ "CVE-2018-6520", "GHSA-2qfc-48v5-4w5h" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4gux-4jrc-w7ce" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52533?format=api", "vulnerability_id": "VCID-6fwf-1xps-t7g5", "summary": "Information Exposure\nSimpleSAMLphp contain an information disclosure vulnerability. The module controller in `SimpleSAML\\Module` that processes requests for pages hosted by modules, has code to identify paths ending with `.php` and process those as PHP code. If no other suitable way of handling the given path exists, it presents the file to the browser. The check to identify paths ending with `.php` does not account for uppercase letters. If someone requests a path ending with e.g. `.PHP` and the server is serving the code from a case-insensitive file system, such as on Windows, the processing of the PHP code does not occur, and the source code is instead presented to the browser. An attacker may use this issue to gain access to the source code in third-party modules that is meant to be private, or even sensitive. However, the attack surface is considered small, as the attack will only work when SimpleSAMLphp serves such content from a file system that is not case-sensitive, such as on Windows.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-5301", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.3418", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34164", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34064", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-5301" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2020-5301.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2020-5301.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/47968d26a2fd3ed52da70dc09210921d612ce44e", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/47968d26a2fd3ed52da70dc09210921d612ce44e" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-24m3-w8g9-jwpq", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-24m3-w8g9-jwpq" }, { "reference_url": "https://simplesamlphp.org/security/202004-01", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/202004-01" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5301", "reference_id": "CVE-2020-5301", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5301" }, { "reference_url": "https://github.com/advisories/GHSA-24m3-w8g9-jwpq", "reference_id": "GHSA-24m3-w8g9-jwpq", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-24m3-w8g9-jwpq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/77140?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.18.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hhq1-kxga-87ea" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.18.6" } ], "aliases": [ "CVE-2020-5301", "GHSA-24m3-w8g9-jwpq" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6fwf-1xps-t7g5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55067?format=api", "vulnerability_id": "VCID-96db-3jav-tkay", "summary": "SimpleSAMLphp Reflected Cross-site Scripting vulnerability\nWhen sending a SAML message to another entity, SimpleSAMLphp will use the URL of the appropriate endpoint to redirect the user’s browser to it, or craft a form that will be automatically posted to it, depending on the SAML binding used. The URL that’s target of the message is fetched from the stored metadata for the given entity, and that metadata is trusted as correct.\n\nHowever, if that metadata has been altered by a malicious party (either an attacker or a rogue administrator) to substitute the URLs of the endpoints with javascript code, SimpleSAMLphp was blindly using them without any validation, trusting the contents of the metadata. This would lead to a reflected XSS where the javascript code is sent inline to the web browser, and if SimpleSAMLphp is not using a strict Content Security Policy to forbid inline javascript (which is the case of the default user interface), then the code will be executed in the end user’s browser.", "references": [ { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/2019-07-10.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/2019-07-10.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/ce2294e092b3be7db2fc4e18e774b791d4564ff3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/ce2294e092b3be7db2fc4e18e774b791d4564ff3" }, { "reference_url": "https://simplesamlphp.org/security/201907-01", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201907-01" }, { "reference_url": "https://github.com/advisories/GHSA-vpr3-cw3h-prw8", "reference_id": "GHSA-vpr3-cw3h-prw8", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vpr3-cw3h-prw8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81656?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.17.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-8w1y-praq-2bb2" }, { "vulnerability": "VCID-hhq1-kxga-87ea" }, { "vulnerability": "VCID-pecs-5zkn-6qfq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.17.3" } ], "aliases": [ "GHSA-vpr3-cw3h-prw8" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-96db-3jav-tkay" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38480?format=api", "vulnerability_id": "VCID-b3fn-bnh5-qyg4", "summary": "Incorrect signature verification of SAML 1 messages\nAn incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation. get those messages accepted as valid and coming from a trusted entity. In practice, this means full capabilities to impersonate any individual at a given service provider. This vulnerability is not to be confused with the one described and related to SAML 2 messages.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2016-9955", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0041", "scoring_system": "epss", "scoring_elements": "0.6165", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.0041", "scoring_system": "epss", "scoring_elements": "0.61705", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0041", "scoring_system": "epss", "scoring_elements": "0.61698", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2016-9955" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9955", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9955" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2016-9955.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2016-9955.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-p9cm-r7jg-8q3g", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-p9cm-r7jg-8q3g" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9955", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9955" }, { "reference_url": "https://simplesamlphp.org/security/201612-02", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201612-02" }, { "reference_url": "http://www.securityfocus.com/bid/94946", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.securityfocus.com/bid/94946" }, { "reference_url": "https://github.com/advisories/GHSA-p9cm-r7jg-8q3g", "reference_id": "GHSA-p9cm-r7jg-8q3g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p9cm-r7jg-8q3g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53290?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-96db-3jav-tkay" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-dgs2-3xbu-c3ff" }, { "vulnerability": "VCID-dvwj-zd42-nbhe" }, { "vulnerability": "VCID-gwtm-bdae-3ufj" }, { "vulnerability": "VCID-hhq1-kxga-87ea" }, { "vulnerability": "VCID-k5d6-k216-8ub8" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-pskx-9d46-bfdt" }, { "vulnerability": "VCID-ugw3-xgan-k3fm" }, { "vulnerability": "VCID-va8h-3qxg-uqh2" }, { "vulnerability": "VCID-yn8q-d76k-q3h2" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.11" } ], "aliases": [ "CVE-2016-9955", "GHSA-p9cm-r7jg-8q3g" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b3fn-bnh5-qyg4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39108?format=api", "vulnerability_id": "VCID-cmqz-hp34-8kcx", "summary": "Improper Certificate Validation\nSignature validation bypass in simplesamlphp.", "references": [ { "reference_url": "https://simplesamlphp.org/security/201710-01", "reference_id": "", "reference_type": "", "scores": [], "url": "https://simplesamlphp.org/security/201710-01" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54606?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-96db-3jav-tkay" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-hhq1-kxga-87ea" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/151155?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.15.0-rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-96db-3jav-tkay" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-hhq1-kxga-87ea" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.15.0-rc1" } ], "aliases": [ "201710-01" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cmqz-hp34-8kcx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41159?format=api", "vulnerability_id": "VCID-d1cm-xhdp-8qhv", "summary": "Cross-site Scripting\nReflected Cross-Site-Scripting in simplesamlphp.", "references": [ { "reference_url": "https://simplesamlphp.org/security/201907-01", "reference_id": "", "reference_type": "", "scores": [], "url": "https://simplesamlphp.org/security/201907-01" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58293?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.17.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-8w1y-praq-2bb2" }, { "vulnerability": "VCID-96db-3jav-tkay" }, { "vulnerability": "VCID-hhq1-kxga-87ea" }, { "vulnerability": "VCID-pecs-5zkn-6qfq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.17.0" } ], "aliases": [ "GMS-2019-149" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d1cm-xhdp-8qhv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38794?format=api", "vulnerability_id": "VCID-d1d1-jng1-4fe6", "summary": "Session Fixation\nSimpleSAMLphp might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12873", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00725", "scoring_system": "epss", "scoring_elements": "0.72997", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00725", "scoring_system": "epss", "scoring_elements": "0.7299", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00725", "scoring_system": "epss", "scoring_elements": "0.72952", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12873" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12873.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12873.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-gp2m-7cfp-h6gf", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-gp2m-7cfp-h6gf" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html" }, { "reference_url": "https://simplesamlphp.org/security/201612-04", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201612-04" }, { "reference_url": "https://www.debian.org/security/2018/dsa-4127", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2018/dsa-4127" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12873", "reference_id": "CVE-2017-12873", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12873" }, { "reference_url": "https://github.com/advisories/GHSA-gp2m-7cfp-h6gf", "reference_id": "GHSA-gp2m-7cfp-h6gf", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gp2m-7cfp-h6gf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53290?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-96db-3jav-tkay" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-dgs2-3xbu-c3ff" }, { "vulnerability": "VCID-dvwj-zd42-nbhe" }, { "vulnerability": "VCID-gwtm-bdae-3ufj" }, { "vulnerability": "VCID-hhq1-kxga-87ea" }, { "vulnerability": "VCID-k5d6-k216-8ub8" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-pskx-9d46-bfdt" }, { "vulnerability": "VCID-ugw3-xgan-k3fm" }, { "vulnerability": "VCID-va8h-3qxg-uqh2" }, { "vulnerability": "VCID-yn8q-d76k-q3h2" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.11" } ], "aliases": [ "CVE-2017-12873", "GHSA-gp2m-7cfp-h6gf" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d1d1-jng1-4fe6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38799?format=api", "vulnerability_id": "VCID-dgs2-3xbu-c3ff", "summary": "Information Exposure\nThe `SimpleSAML_Session` class in SimpleSAMLphp allows remote attackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12872", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00404", "scoring_system": "epss", "scoring_elements": "0.61277", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00404", "scoring_system": "epss", "scoring_elements": "0.61333", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00404", "scoring_system": "epss", "scoring_elements": "0.61325", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12872" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12872", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12872" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12872.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12872.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/b72c79e3070f930d758f5c269333d63ed7509e2e", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/b72c79e3070f930d758f5c269333d63ed7509e2e" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00017.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00017.html" }, { "reference_url": "https://simplesamlphp.org/security/201703-01", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201703-01" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12872", "reference_id": "CVE-2017-12872", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12872" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54042?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-96db-3jav-tkay" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-dvwj-zd42-nbhe" }, { "vulnerability": "VCID-gwtm-bdae-3ufj" }, { "vulnerability": "VCID-hhq1-kxga-87ea" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-pskx-9d46-bfdt" }, { "vulnerability": "VCID-ugw3-xgan-k3fm" }, { "vulnerability": "VCID-va8h-3qxg-uqh2" }, { "vulnerability": "VCID-yn8q-d76k-q3h2" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/151155?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.15.0-rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-96db-3jav-tkay" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-hhq1-kxga-87ea" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.15.0-rc1" } ], "aliases": [ "CVE-2017-12872", "GHSA-v882-949x-6v28" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dgs2-3xbu-c3ff" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38796?format=api", "vulnerability_id": "VCID-dvwj-zd42-nbhe", "summary": "Information Exposure\nSimpleSAMLphp makes it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the `aesEncrypt` and `aesDecrypt` methods in the `SimpleSAML/Utils/Crypto` class to protect session identifiers in replies to non-HTTPS service providers.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12870", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49635", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49625", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49563", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12870" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12870", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12870" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12870.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12870.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/4c939be1696bacb2b95ee11d4ebc5814a08b04c5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/4c939be1696bacb2b95ee11d4ebc5814a08b04c5" }, { "reference_url": "https://simplesamlphp.org/security/201704-01", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201704-01" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12870", "reference_id": "CVE-2017-12870", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12870" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54043?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-96db-3jav-tkay" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-gwtm-bdae-3ufj" }, { "vulnerability": "VCID-hhq1-kxga-87ea" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-pskx-9d46-bfdt" }, { "vulnerability": "VCID-ugw3-xgan-k3fm" }, { "vulnerability": "VCID-va8h-3qxg-uqh2" }, { "vulnerability": "VCID-yn8q-d76k-q3h2" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.13" } ], "aliases": [ "CVE-2017-12870", "GHSA-44pr-mgcp-v36r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dvwj-zd42-nbhe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38777?format=api", "vulnerability_id": "VCID-gwtm-bdae-3ufj", "summary": "Invalid token creation and validation\nThe `SimpleSAML_Auth_TimeLimitedToken` class in SimpleSAMLphp allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12867", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00241", "scoring_system": "epss", "scoring_elements": "0.47615", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00241", "scoring_system": "epss", "scoring_elements": "0.47613", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00241", "scoring_system": "epss", "scoring_elements": "0.47549", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12867" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12867.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12867.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/608f24c2d5afd70c2af050785d2b12f878b33c68", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/608f24c2d5afd70c2af050785d2b12f878b33c68" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html" }, { "reference_url": "https://simplesamlphp.org/security/201708-01", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201708-01" }, { "reference_url": "https://www.debian.org/security/2018/dsa-4127", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2018/dsa-4127" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12867", "reference_id": "CVE-2017-12867", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12867" }, { "reference_url": "https://github.com/advisories/GHSA-597c-mh7m-48v7", "reference_id": "GHSA-597c-mh7m-48v7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-597c-mh7m-48v7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54013?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-96db-3jav-tkay" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-hhq1-kxga-87ea" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-pskx-9d46-bfdt" }, { "vulnerability": "VCID-ugw3-xgan-k3fm" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.15" } ], "aliases": [ "CVE-2017-12867", "GHSA-597c-mh7m-48v7" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gwtm-bdae-3ufj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56288?format=api", "vulnerability_id": "VCID-hhq1-kxga-87ea", "summary": "SimpleSAMLphp vulnerable to XXE in parsing SAML messages\nWhen loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.", "references": [ { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52596", "reference_id": "CVE-2024-52596", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52596" }, { "reference_url": "https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm", "reference_id": "GHSA-2x65-fpch-2fcm", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm" }, { "reference_url": "https://github.com/advisories/GHSA-j5g2-q29x-cw3h", "reference_id": "GHSA-j5g2-q29x-cw3h", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j5g2-q29x-cw3h" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-j5g2-q29x-cw3h", "reference_id": "GHSA-j5g2-q29x-cw3h", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-j5g2-q29x-cw3h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83400?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@2.0.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@2.0.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/787058?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@2.1.0-rc1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@2.1.0-rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/83399?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@2.1.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@2.1.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/83398?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@2.2.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@2.2.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/83397?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@2.3.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@2.3.4" } ], "aliases": [ "GHSA-j5g2-q29x-cw3h" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hhq1-kxga-87ea" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55066?format=api", "vulnerability_id": "VCID-j3sv-ccme-rbdn", "summary": "SimpleSAMLphp Link Injection vulnerability\nThe following scripts were not checking the URLs obtained via the HTTP request before displaying them as the target of links that the user may click on:\n\n- www/logout.php\n- modules/core/www/no_cookie.php\nThe issue allowed attackers to display links targeting a malicious website inside a trusted site running SimpleSAMLphp, due to the lack of security checks involving the link_href and retryURL HTTP parameters, respectively. The issue was resolved by including a verification of the URLs received in the request against a white list of websites specified in the trusted.url.domains configuration option.", "references": [ { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/201606-01.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/201606-01.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/b1af4e47c81bca2bee633b3f84f4fde624f359ba", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/b1af4e47c81bca2bee633b3f84f4fde624f359ba" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/d26eb8f17dc9916a5ef2fd0a286b0fc96a561e71", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/d26eb8f17dc9916a5ef2fd0a286b0fc96a561e71" }, { "reference_url": "https://simplesamlphp.org/security/201606-01", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201606-01" }, { "reference_url": "https://github.com/advisories/GHSA-v858-922f-fj9v", "reference_id": "GHSA-v858-922f-fj9v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v858-922f-fj9v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52749?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-96db-3jav-tkay" }, { "vulnerability": "VCID-b3fn-bnh5-qyg4" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-d1d1-jng1-4fe6" }, { "vulnerability": "VCID-dgs2-3xbu-c3ff" }, { "vulnerability": "VCID-dvwj-zd42-nbhe" }, { "vulnerability": "VCID-gwtm-bdae-3ufj" }, { "vulnerability": "VCID-hhq1-kxga-87ea" }, { "vulnerability": "VCID-k5d6-k216-8ub8" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-pskx-9d46-bfdt" }, { "vulnerability": "VCID-ugw3-xgan-k3fm" }, { "vulnerability": "VCID-va8h-3qxg-uqh2" }, { "vulnerability": "VCID-yn8q-d76k-q3h2" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.4" } ], "aliases": [ "GHSA-v858-922f-fj9v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j3sv-ccme-rbdn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38798?format=api", "vulnerability_id": "VCID-k5d6-k216-8ub8", "summary": "Incorrect IV generation for encryption\nThe `aesEncrypt` method in `lib/SimpleSAML/Utils/Crypto` makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging use of the first bytes of the secret key as the initialization vector (IV).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12871", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23768", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23783", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23687", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12871" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12871", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12871" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12871.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12871.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/77df6a932d46daa35e364925eb73a175010dc904", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/77df6a932d46daa35e364925eb73a175010dc904" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/ccf75981187aa88f7165abdb1b1965c0934acda0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/ccf75981187aa88f7165abdb1b1965c0934acda0" }, { "reference_url": "https://simplesamlphp.org/security/201703-02", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201703-02" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12871", "reference_id": "CVE-2017-12871", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12871" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54042?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-96db-3jav-tkay" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-dvwj-zd42-nbhe" }, { "vulnerability": "VCID-gwtm-bdae-3ufj" }, { "vulnerability": "VCID-hhq1-kxga-87ea" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-pskx-9d46-bfdt" }, { "vulnerability": "VCID-ugw3-xgan-k3fm" }, { "vulnerability": "VCID-va8h-3qxg-uqh2" }, { "vulnerability": "VCID-yn8q-d76k-q3h2" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.12" } ], "aliases": [ "CVE-2017-12871", "GHSA-ww3w-592j-5qrw" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k5d6-k216-8ub8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39375?format=api", "vulnerability_id": "VCID-mfwu-mfhq-fkh8", "summary": "Improper Verification of Cryptographic Signature\nA SimpleSAMLphp Service Provider using SAML will regard as valid any unsigned SAML response containing more than one signed assertion, provided that the signature of at least one of the assertions is valid. Attributes contained in all the assertions received will be merged and the entityID of the first assertion received will be used, allowing an attacker to impersonate any user of any IdP given an assertion signed by the targeted IdP.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-18122", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00308", "scoring_system": "epss", "scoring_elements": "0.54308", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00308", "scoring_system": "epss", "scoring_elements": "0.543", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00308", "scoring_system": "epss", "scoring_elements": "0.54243", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-18122" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-18122.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-18122.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/e2d53086abbb253efb24ddcb49b116246eb0b6ca", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/e2d53086abbb253efb24ddcb49b116246eb0b6ca" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00008.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00008.html" }, { "reference_url": "https://simplesamlphp.org/security/201710-01", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201710-01" }, { "reference_url": "https://www.debian.org/security/2018/dsa-4127", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2018/dsa-4127" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889286", "reference_id": "889286", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889286" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18122", "reference_id": "CVE-2017-18122", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18122" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54606?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-96db-3jav-tkay" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-hhq1-kxga-87ea" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.17" } ], "aliases": [ "CVE-2017-18122", "GHSA-j4qf-3w33-8cgc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mfwu-mfhq-fkh8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39372?format=api", "vulnerability_id": "VCID-pskx-9d46-bfdt", "summary": "Cross-site Scripting\nThe consentAdmin module in SimpleSAMLphp is vulnerable to a Cross-Site Scripting attack, allowing an attacker to craft links that could execute arbitrary JavaScript code on the victim's web browser.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-18121", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00355", "scoring_system": "epss", "scoring_elements": "0.58142", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00355", "scoring_system": "epss", "scoring_elements": "0.58151", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00355", "scoring_system": "epss", "scoring_elements": "0.58091", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-18121" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-18121.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-18121.yaml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00008.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00008.html" }, { "reference_url": "https://simplesamlphp.org/security/201709-01", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201709-01" }, { "reference_url": "https://www.debian.org/security/2018/dsa-4127", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2018/dsa-4127" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889286", "reference_id": "889286", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889286" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18121", "reference_id": "CVE-2017-18121", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18121" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54985?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-96db-3jav-tkay" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-hhq1-kxga-87ea" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-ugw3-xgan-k3fm" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.16" } ], "aliases": [ "CVE-2017-18121", "GHSA-fv7m-wc3v-wr3w" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pskx-9d46-bfdt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55048?format=api", "vulnerability_id": "VCID-ugw3-xgan-k3fm", "summary": "Duplicate Advisory: SimpleSAMLphp signature validation bypass\nA signature validation bypass issue has been found in the `SimpleSAML_XML_Validator` class. This class performs the verification of the XML digital signature of a SAML 1 message with a given key.\n\nWhen a SAML 1 authentication response message is received, it is processed to verify its authenticity, including a check for the signature or signatures included in the message. If the message is not signed but the assertions contained in it are, the signatures of those assertions signed will be verified. Unsigned assertions will not be verified. After verifying every signed element in the response, a list of valid nodes is built, holding the DOM nodes of those XML elements that are signed and whose signatures have been successfully verified.\n\nOnce this list is built, the assertions need to be processed individually. They are not processed until the getAttributes() method of the SimpleSAML_XML_Shib13_AuthnResponse class is called. This method iterates through the list of assertions contained in the response and makes sure they were validated in the previous signature verification step, by checking if their corresponding DOM nodes are in the list of those verified.\n\nThe vulnerability is due to lax comparison of the node being checked and the nodes in the verified list. The isNodeValidated() method of the SimpleSAML_XML_Validator class checks if a given DOM node is in the validNodes array by means of the standard in_array() function. This function, however, will return unexpected results due to the default lax behaviour when checking data types in PHP. In this case, the fact that there is a DOM node in the list is enough for in_array() to return true when looking for any DOM node. This means any unsigned assertion will be considered verified if there is at least one assertion with a valid signature in the message being processed.\n\nThis issue allows an attacker to generate a SAML 1 authentication response that contains two different assertions. The first assertion is the one the attacker wants the Service Provider to use, with custom attributes, expiration and even entityID (provided that the given entityID belongs to an Identity Provider that the Service Provider knows and trusts). The second is a legitimate assertion issued and signed by an Identity Provider trusted by the Service Provider. If the second assertion is still valid when sent by the attacker, SimpleSAMLphp will merge all the attributes found in both assertions, but the entityID registered for the authenticating third-party will be the one found in the first, tampered assertion. If the second (legitimate) assertion is already expired when the attacker sends it, only the attributes found in the tampered assertion will be used.\n\nThe issue can be easily fixed by passing a third parameter to the in_array() function, telling it to perform strict comparisons when checking if an object is found inside a given array. This way, when the code evaluates if the tampered assertion is included in the list of verified assertions, it fails and only the legitimate assertion is used, if possible (e.g. it is not expired).", "references": [ { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/201710-01.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/201710-01.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/e2d53086abbb253efb24ddcb49b116246eb0b6ca", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/e2d53086abbb253efb24ddcb49b116246eb0b6ca" }, { "reference_url": "https://simplesamlphp.org/security/201710-01", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201710-01" }, { "reference_url": "https://github.com/advisories/GHSA-fjr2-r2mp-484p", "reference_id": "GHSA-fjr2-r2mp-484p", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fjr2-r2mp-484p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54606?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-96db-3jav-tkay" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-hhq1-kxga-87ea" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.17" } ], "aliases": [ "GHSA-fjr2-r2mp-484p" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ugw3-xgan-k3fm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38797?format=api", "vulnerability_id": "VCID-va8h-3qxg-uqh2", "summary": "Session fixation issue and authentication bypass\nThe `secureCompare` method in `lib/SimpleSAML/Utils/Crypto` when used with PHP, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12868", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00764", "scoring_system": "epss", "scoring_elements": "0.73788", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00764", "scoring_system": "epss", "scoring_elements": "0.7383", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00764", "scoring_system": "epss", "scoring_elements": "0.73825", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12868" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12868", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12868" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12868.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12868.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85e", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85e" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00017.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00017.html" }, { "reference_url": "https://simplesamlphp.org/security/201705-01", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201705-01" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12868", "reference_id": "CVE-2017-12868", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12868" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54012?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-96db-3jav-tkay" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-gwtm-bdae-3ufj" }, { "vulnerability": "VCID-hhq1-kxga-87ea" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-pskx-9d46-bfdt" }, { "vulnerability": "VCID-ugw3-xgan-k3fm" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.14" } ], "aliases": [ "CVE-2017-12868", "GHSA-j96g-47x2-46hv" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-va8h-3qxg-uqh2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38800?format=api", "vulnerability_id": "VCID-yn8q-d76k-q3h2", "summary": "Improper Input Validation\nThe multiauth module in `SimpleSAMLphp` allows remote attackers to bypass authentication context restrictions and use an authentication source defined in `config/authsources.php` via vectors related to improper validation of user input.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12869", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00418", "scoring_system": "epss", "scoring_elements": "0.6213", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00418", "scoring_system": "epss", "scoring_elements": "0.62187", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00418", "scoring_system": "epss", "scoring_elements": "0.62179", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12869" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12869.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12869.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/blob/de98fc5bb663feea16686ae77958f759b4a7638d/docs/simplesamlphp-changelog-1.x.md?plain=1#L902C64-L902C79", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/blob/de98fc5bb663feea16686ae77958f759b4a7638d/docs/simplesamlphp-changelog-1.x.md?plain=1#L902C64-L902C79" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12869", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12869" }, { "reference_url": "https://simplesamlphp.org/security/201704-02", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201704-02" }, { "reference_url": "https://www.debian.org/security/2018/dsa-4127", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2018/dsa-4127" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54012?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-96db-3jav-tkay" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-gwtm-bdae-3ufj" }, { "vulnerability": "VCID-hhq1-kxga-87ea" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-pskx-9d46-bfdt" }, { "vulnerability": "VCID-ugw3-xgan-k3fm" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.14" } ], "aliases": [ "CVE-2017-12869", "GHSA-qc43-78vj-vg7p" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yn8q-d76k-q3h2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39368?format=api", "vulnerability_id": "VCID-ywuy-my3f-x7cd", "summary": "Security Misconfigurations\nThe sqlauth module in `SimpleSAMLphp` relies on the MySQL utf8 charset, which truncates queries upon encountering four-byte characters. There might be a scenario in which this allows remote attackers to bypass intended access restrictions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-6521", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00585", "scoring_system": "epss", "scoring_elements": "0.69477", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00585", "scoring_system": "epss", "scoring_elements": "0.69468", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00585", "scoring_system": "epss", "scoring_elements": "0.69429", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-6521" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2018-6521.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2018-6521.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00008.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00008.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6521", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6521" }, { "reference_url": "https://simplesamlphp.org/security/201801-03", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201801-03" }, { "reference_url": "https://www.debian.org/security/2018/dsa-4127", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2018/dsa-4127" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54979?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.15.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-96db-3jav-tkay" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-hhq1-kxga-87ea" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.15.2" } ], "aliases": [ "CVE-2018-6521", "GHSA-qv5p-6wrc-79wg" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ywuy-my3f-x7cd" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38472?format=api", "vulnerability_id": "VCID-jv7n-m3cf-jfex", "summary": "Information leakage in sanitycheck\nA remote attacker could learn information about the exact PHP version run by the affected system, allowing the search for vulnerabilities known to work with that version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2016-3124", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00203", "scoring_system": "epss", "scoring_elements": "0.42239", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00203", "scoring_system": "epss", "scoring_elements": "0.42325", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00203", "scoring_system": "epss", "scoring_elements": "0.42314", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2016-3124" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3124", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3124" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2016-3124.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2016-3124.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/952027dd7f794ff4b2d4f5eddf549c5b5070fa38", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/952027dd7f794ff4b2d4f5eddf549c5b5070fa38" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3124", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3124" }, { "reference_url": "https://simplesamlphp.org/security/201603-01", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201603-01" }, { "reference_url": "http://www.securityfocus.com/bid/96134", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.securityfocus.com/bid/96134" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817162", "reference_id": "817162", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817162" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53258?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2etk-v7gt-pqhn" }, { "vulnerability": "VCID-3d8m-wtww-2yah" }, { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-96db-3jav-tkay" }, { "vulnerability": "VCID-b3fn-bnh5-qyg4" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-d1d1-jng1-4fe6" }, { "vulnerability": "VCID-dgs2-3xbu-c3ff" }, { "vulnerability": "VCID-dvwj-zd42-nbhe" }, { "vulnerability": "VCID-gwtm-bdae-3ufj" }, { "vulnerability": "VCID-hhq1-kxga-87ea" }, { "vulnerability": "VCID-j3sv-ccme-rbdn" }, { "vulnerability": "VCID-k5d6-k216-8ub8" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-pskx-9d46-bfdt" }, { "vulnerability": "VCID-ugw3-xgan-k3fm" }, { "vulnerability": "VCID-va8h-3qxg-uqh2" }, { "vulnerability": "VCID-yn8q-d76k-q3h2" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.1" } ], "aliases": [ "CVE-2016-3124", "GHSA-9327-mqm6-x97j" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jv7n-m3cf-jfex" } ], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.1" }