VulnerableCode Package Details - pkg:composer/simplesamlphp/saml2@1.3.0

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:composer/simplesamlphp/saml2@1.3.0

Essentials
History (5)

purl	pkg:composer/simplesamlphp/saml2@1.3.0

Next non-vulnerable version	2.3.8
Latest non-vulnerable version	4.17.0
Risk	4.5

Vulnerabilities affecting this package (5)

Vulnerability	Summary	Fixed by
VCID-139j-7afy-wyf1 Aliases: CVE-2019-3465 GHSA-pqm6-cgwr-x6pf	Improper Input Validation Rob Richards XmlSecLibs, as used for example by SimpleSAMLphp, performs incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message.	2.0.0 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ucwf-xdma-h7fc Aliases: CVE-2018-6519 GHSA-hhm8-2j4g-mpgg	Injection Vulnerability The SAML2 library in `SimpleSAMLphp` has a Regular Expression Denial of Service vulnerability for fraction-of-seconds data in a timestamp.	1.10.4 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.3.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.1.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-wbt9-snjj-uuea Aliases: CVE-2018-7644 GHSA-923w-2xv2-7pr8	Improper signature validation The `XmlSecLibs` library as used in the saml2 library in SimpleSAMLphp incorrectly verifies signatures on SAML assertions, allowing a remote attacker to construct a crafted SAML assertion on behalf of an Identity Provider that would pass as cryptographically valid, thereby allowing them to impersonate a user from that Identity Provider, aka a key confusion issue.	1.10.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.3.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 3.1.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-xx6m-pvgs-puga Aliases: CVE-2018-7711 GHSA-g888-g2pp-82hf	Incorrect signature validation An incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation.	1.10.6 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.3.8 Affected by 0 other vulnerabilities. 3.1.4 Affected by 0 other vulnerabilities.
VCID-zemd-kbb3-s3cr Aliases: CVE-2016-9814 GHSA-r8v4-7vwj-983x	Incorrect signature verification An incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation.	1.8.1 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.9.1 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.10.3 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.3.3 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T20:25:21.644283+00:00	GitLab Importer	Affected by	VCID-139j-7afy-wyf1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2019-3465.yml	38.6.0
2026-06-04T20:11:24.718904+00:00	GitLab Importer	Affected by	VCID-wbt9-snjj-uuea	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2018-7644.yml	38.6.0
2026-06-04T20:11:24.415229+00:00	GitLab Importer	Affected by	VCID-xx6m-pvgs-puga	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2018-7711.yml	38.6.0
2026-06-04T20:11:05.858087+00:00	GitLab Importer	Affected by	VCID-ucwf-xdma-h7fc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2018-6519.yml	38.6.0
2026-06-04T20:07:35.077759+00:00	GitLab Importer	Affected by	VCID-zemd-kbb3-s3cr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2016-9814.yml	38.6.0