Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/53290?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/53290?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.11", "type": "composer", "namespace": "simplesamlphp", "name": "simplesamlphp", "version": "1.14.11", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.18.6", "latest_non_vulnerable_version": "2.3.4", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39369?format=api", "vulnerability_id": "VCID-4gux-4jrc-w7ce", "summary": "URL Redirection to Untrusted Site (Open Redirect)\n`SimpleSAMLphp` allows remote attackers to bypass an open redirect protection mechanism via crafted authority data in a URL.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-6520", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37218", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-6520" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2018-6520.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2018-6520.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/issues/1473", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/issues/1473" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6520", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6520" }, { "reference_url": "https://simplesamlphp.org/security/201801-02", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201801-02" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54979?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.15.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.15.2" } ], "aliases": [ "CVE-2018-6520", "GHSA-2qfc-48v5-4w5h" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4gux-4jrc-w7ce" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52533?format=api", "vulnerability_id": "VCID-6fwf-1xps-t7g5", "summary": "Information Exposure\nSimpleSAMLphp contain an information disclosure vulnerability. The module controller in `SimpleSAML\\Module` that processes requests for pages hosted by modules, has code to identify paths ending with `.php` and process those as PHP code. If no other suitable way of handling the given path exists, it presents the file to the browser. The check to identify paths ending with `.php` does not account for uppercase letters. If someone requests a path ending with e.g. `.PHP` and the server is serving the code from a case-insensitive file system, such as on Windows, the processing of the PHP code does not occur, and the source code is instead presented to the browser. An attacker may use this issue to gain access to the source code in third-party modules that is meant to be private, or even sensitive. However, the attack surface is considered small, as the attack will only work when SimpleSAMLphp serves such content from a file system that is not case-sensitive, such as on Windows.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-5301", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34064", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-5301" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2020-5301.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2020-5301.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/47968d26a2fd3ed52da70dc09210921d612ce44e", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/47968d26a2fd3ed52da70dc09210921d612ce44e" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-24m3-w8g9-jwpq", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-24m3-w8g9-jwpq" }, { "reference_url": "https://simplesamlphp.org/security/202004-01", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/202004-01" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5301", "reference_id": "CVE-2020-5301", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5301" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/77140?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.18.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.18.6" } ], "aliases": [ "CVE-2020-5301", "GHSA-24m3-w8g9-jwpq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6fwf-1xps-t7g5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39108?format=api", "vulnerability_id": "VCID-cmqz-hp34-8kcx", "summary": "Improper Certificate Validation\nSignature validation bypass in simplesamlphp.", "references": [ { "reference_url": "https://simplesamlphp.org/security/201710-01", "reference_id": "", "reference_type": "", "scores": [], "url": "https://simplesamlphp.org/security/201710-01" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54606?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/151155?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.15.0-rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.15.0-rc1" } ], "aliases": [ "201710-01" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cmqz-hp34-8kcx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41159?format=api", "vulnerability_id": "VCID-d1cm-xhdp-8qhv", "summary": "Cross-site Scripting\nReflected Cross-Site-Scripting in simplesamlphp.", "references": [ { "reference_url": "https://simplesamlphp.org/security/201907-01", "reference_id": "", "reference_type": "", "scores": [], "url": "https://simplesamlphp.org/security/201907-01" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58293?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.17.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-8w1y-praq-2bb2" }, { "vulnerability": "VCID-pecs-5zkn-6qfq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.17.0" } ], "aliases": [ "GMS-2019-149" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d1cm-xhdp-8qhv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38799?format=api", "vulnerability_id": "VCID-dgs2-3xbu-c3ff", "summary": "Information Exposure\nThe `SimpleSAML_Session` class in SimpleSAMLphp allows remote attackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12872", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00404", "scoring_system": "epss", "scoring_elements": "0.61277", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12872" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12872.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12872.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/b72c79e3070f930d758f5c269333d63ed7509e2e", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/b72c79e3070f930d758f5c269333d63ed7509e2e" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00017.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00017.html" }, { "reference_url": "https://simplesamlphp.org/security/201703-01", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201703-01" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12872", "reference_id": "CVE-2017-12872", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12872" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54042?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-dvwj-zd42-nbhe" }, { "vulnerability": "VCID-gwtm-bdae-3ufj" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-pskx-9d46-bfdt" }, { "vulnerability": "VCID-va8h-3qxg-uqh2" }, { "vulnerability": "VCID-yn8q-d76k-q3h2" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/151155?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.15.0-rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.15.0-rc1" } ], "aliases": [ "CVE-2017-12872", "GHSA-v882-949x-6v28" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dgs2-3xbu-c3ff" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38796?format=api", "vulnerability_id": "VCID-dvwj-zd42-nbhe", "summary": "Information Exposure\nSimpleSAMLphp makes it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the `aesEncrypt` and `aesDecrypt` methods in the `SimpleSAML/Utils/Crypto` class to protect session identifiers in replies to non-HTTPS service providers.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12870", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49563", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12870" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12870.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12870.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/4c939be1696bacb2b95ee11d4ebc5814a08b04c5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/4c939be1696bacb2b95ee11d4ebc5814a08b04c5" }, { "reference_url": "https://simplesamlphp.org/security/201704-01", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201704-01" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12870", "reference_id": "CVE-2017-12870", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12870" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54043?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-gwtm-bdae-3ufj" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-pskx-9d46-bfdt" }, { "vulnerability": "VCID-va8h-3qxg-uqh2" }, { "vulnerability": "VCID-yn8q-d76k-q3h2" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.13" } ], "aliases": [ "CVE-2017-12870", "GHSA-44pr-mgcp-v36r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dvwj-zd42-nbhe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38777?format=api", "vulnerability_id": "VCID-gwtm-bdae-3ufj", "summary": "Invalid token creation and validation\nThe `SimpleSAML_Auth_TimeLimitedToken` class in SimpleSAMLphp allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12867", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00241", "scoring_system": "epss", "scoring_elements": "0.47549", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12867" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12867.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12867.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/608f24c2d5afd70c2af050785d2b12f878b33c68", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/608f24c2d5afd70c2af050785d2b12f878b33c68" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html" }, { "reference_url": "https://simplesamlphp.org/security/201708-01", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201708-01" }, { "reference_url": "https://www.debian.org/security/2018/dsa-4127", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2018/dsa-4127" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12867", "reference_id": "CVE-2017-12867", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12867" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54013?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-pskx-9d46-bfdt" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.15" } ], "aliases": [ "CVE-2017-12867", "GHSA-597c-mh7m-48v7" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gwtm-bdae-3ufj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38798?format=api", "vulnerability_id": "VCID-k5d6-k216-8ub8", "summary": "Incorrect IV generation for encryption\nThe `aesEncrypt` method in `lib/SimpleSAML/Utils/Crypto` makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging use of the first bytes of the secret key as the initialization vector (IV).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12871", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23687", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12871" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12871.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12871.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/77df6a932d46daa35e364925eb73a175010dc904", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/77df6a932d46daa35e364925eb73a175010dc904" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/ccf75981187aa88f7165abdb1b1965c0934acda0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/ccf75981187aa88f7165abdb1b1965c0934acda0" }, { "reference_url": "https://simplesamlphp.org/security/201703-02", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201703-02" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12871", "reference_id": "CVE-2017-12871", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12871" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54042?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-dvwj-zd42-nbhe" }, { "vulnerability": "VCID-gwtm-bdae-3ufj" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-pskx-9d46-bfdt" }, { "vulnerability": "VCID-va8h-3qxg-uqh2" }, { "vulnerability": "VCID-yn8q-d76k-q3h2" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.12" } ], "aliases": [ "CVE-2017-12871", "GHSA-ww3w-592j-5qrw" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k5d6-k216-8ub8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39375?format=api", "vulnerability_id": "VCID-mfwu-mfhq-fkh8", "summary": "Improper Verification of Cryptographic Signature\nA SimpleSAMLphp Service Provider using SAML will regard as valid any unsigned SAML response containing more than one signed assertion, provided that the signature of at least one of the assertions is valid. Attributes contained in all the assertions received will be merged and the entityID of the first assertion received will be used, allowing an attacker to impersonate any user of any IdP given an assertion signed by the targeted IdP.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-18122", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00308", "scoring_system": "epss", "scoring_elements": "0.54243", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-18122" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-18122.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-18122.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/e2d53086abbb253efb24ddcb49b116246eb0b6ca", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/e2d53086abbb253efb24ddcb49b116246eb0b6ca" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00008.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00008.html" }, { "reference_url": "https://simplesamlphp.org/security/201710-01", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201710-01" }, { "reference_url": "https://www.debian.org/security/2018/dsa-4127", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2018/dsa-4127" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889286", "reference_id": "889286", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889286" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18122", "reference_id": "CVE-2017-18122", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18122" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54606?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.17" } ], "aliases": [ "CVE-2017-18122", "GHSA-j4qf-3w33-8cgc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mfwu-mfhq-fkh8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39372?format=api", "vulnerability_id": "VCID-pskx-9d46-bfdt", "summary": "Cross-site Scripting\nThe consentAdmin module in SimpleSAMLphp is vulnerable to a Cross-Site Scripting attack, allowing an attacker to craft links that could execute arbitrary JavaScript code on the victim's web browser.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-18121", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00355", "scoring_system": "epss", "scoring_elements": "0.58091", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-18121" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-18121.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-18121.yaml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00008.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00008.html" }, { "reference_url": "https://simplesamlphp.org/security/201709-01", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201709-01" }, { "reference_url": "https://www.debian.org/security/2018/dsa-4127", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2018/dsa-4127" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889286", "reference_id": "889286", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889286" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18121", "reference_id": "CVE-2017-18121", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18121" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54985?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.16" } ], "aliases": [ "CVE-2017-18121", "GHSA-fv7m-wc3v-wr3w" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pskx-9d46-bfdt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38797?format=api", "vulnerability_id": "VCID-va8h-3qxg-uqh2", "summary": "Session fixation issue and authentication bypass\nThe `secureCompare` method in `lib/SimpleSAML/Utils/Crypto` when used with PHP, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12868", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00764", "scoring_system": "epss", "scoring_elements": "0.73788", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12868" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12868.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12868.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85e", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85e" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00017.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00017.html" }, { "reference_url": "https://simplesamlphp.org/security/201705-01", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201705-01" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12868", "reference_id": "CVE-2017-12868", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12868" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54012?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-gwtm-bdae-3ufj" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-pskx-9d46-bfdt" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.14" } ], "aliases": [ "CVE-2017-12868", "GHSA-j96g-47x2-46hv" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-va8h-3qxg-uqh2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38800?format=api", "vulnerability_id": "VCID-yn8q-d76k-q3h2", "summary": "Improper Input Validation\nThe multiauth module in `SimpleSAMLphp` allows remote attackers to bypass authentication context restrictions and use an authentication source defined in `config/authsources.php` via vectors related to improper validation of user input.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12869", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00418", "scoring_system": "epss", "scoring_elements": "0.6213", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12869" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12869.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12869.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/blob/de98fc5bb663feea16686ae77958f759b4a7638d/docs/simplesamlphp-changelog-1.x.md?plain=1#L902C64-L902C79", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/blob/de98fc5bb663feea16686ae77958f759b4a7638d/docs/simplesamlphp-changelog-1.x.md?plain=1#L902C64-L902C79" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12869", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12869" }, { "reference_url": "https://simplesamlphp.org/security/201704-02", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201704-02" }, { "reference_url": "https://www.debian.org/security/2018/dsa-4127", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2018/dsa-4127" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54012?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-gwtm-bdae-3ufj" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-pskx-9d46-bfdt" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.14" } ], "aliases": [ "CVE-2017-12869", "GHSA-qc43-78vj-vg7p" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yn8q-d76k-q3h2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39368?format=api", "vulnerability_id": "VCID-ywuy-my3f-x7cd", "summary": "Security Misconfigurations\nThe sqlauth module in `SimpleSAMLphp` relies on the MySQL utf8 charset, which truncates queries upon encountering four-byte characters. There might be a scenario in which this allows remote attackers to bypass intended access restrictions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-6521", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00585", "scoring_system": "epss", "scoring_elements": "0.69429", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-6521" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2018-6521.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2018-6521.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00008.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00008.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6521", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6521" }, { "reference_url": "https://simplesamlphp.org/security/201801-03", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201801-03" }, { "reference_url": "https://www.debian.org/security/2018/dsa-4127", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2018/dsa-4127" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/54979?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.15.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.15.2" } ], "aliases": [ "CVE-2018-6521", "GHSA-qv5p-6wrc-79wg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ywuy-my3f-x7cd" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38480?format=api", "vulnerability_id": "VCID-b3fn-bnh5-qyg4", "summary": "Incorrect signature verification of SAML 1 messages\nAn incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation. get those messages accepted as valid and coming from a trusted entity. In practice, this means full capabilities to impersonate any individual at a given service provider. This vulnerability is not to be confused with the one described and related to SAML 2 messages.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2016-9955", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0041", "scoring_system": "epss", "scoring_elements": "0.6165", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2016-9955" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2016-9955.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2016-9955.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-p9cm-r7jg-8q3g", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-p9cm-r7jg-8q3g" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9955", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9955" }, { "reference_url": "https://simplesamlphp.org/security/201612-02", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201612-02" }, { "reference_url": "http://www.securityfocus.com/bid/94946", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.securityfocus.com/bid/94946" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53290?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-dgs2-3xbu-c3ff" }, { "vulnerability": "VCID-dvwj-zd42-nbhe" }, { "vulnerability": "VCID-gwtm-bdae-3ufj" }, { "vulnerability": "VCID-k5d6-k216-8ub8" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-pskx-9d46-bfdt" }, { "vulnerability": "VCID-va8h-3qxg-uqh2" }, { "vulnerability": "VCID-yn8q-d76k-q3h2" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.11" } ], "aliases": [ "CVE-2016-9955", "GHSA-p9cm-r7jg-8q3g" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b3fn-bnh5-qyg4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38794?format=api", "vulnerability_id": "VCID-d1d1-jng1-4fe6", "summary": "Session Fixation\nSimpleSAMLphp might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12873", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00725", "scoring_system": "epss", "scoring_elements": "0.72952", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12873" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12873.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12873.yaml" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953" }, { "reference_url": "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-gp2m-7cfp-h6gf", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-gp2m-7cfp-h6gf" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html" }, { "reference_url": "https://simplesamlphp.org/security/201612-04", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://simplesamlphp.org/security/201612-04" }, { "reference_url": "https://www.debian.org/security/2018/dsa-4127", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2018/dsa-4127" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12873", "reference_id": "CVE-2017-12873", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12873" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53290?format=api", "purl": "pkg:composer/simplesamlphp/simplesamlphp@1.14.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4gux-4jrc-w7ce" }, { "vulnerability": "VCID-6fwf-1xps-t7g5" }, { "vulnerability": "VCID-cmqz-hp34-8kcx" }, { "vulnerability": "VCID-d1cm-xhdp-8qhv" }, { "vulnerability": "VCID-dgs2-3xbu-c3ff" }, { "vulnerability": "VCID-dvwj-zd42-nbhe" }, { "vulnerability": "VCID-gwtm-bdae-3ufj" }, { "vulnerability": "VCID-k5d6-k216-8ub8" }, { "vulnerability": "VCID-mfwu-mfhq-fkh8" }, { "vulnerability": "VCID-pskx-9d46-bfdt" }, { "vulnerability": "VCID-va8h-3qxg-uqh2" }, { "vulnerability": "VCID-yn8q-d76k-q3h2" }, { "vulnerability": "VCID-ywuy-my3f-x7cd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.11" } ], "aliases": [ "CVE-2017-12873", "GHSA-gp2m-7cfp-h6gf" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d1d1-jng1-4fe6" } ], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/simplesamlphp/simplesamlphp@1.14.11" }