Search for packages
| purl | pkg:composer/simplesamlphp/saml2@2.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-418w-j3pp-s3hq
Aliases: CVE-2018-7644 GHSA-923w-2xv2-7pr8 |
security update |
Affected by 5 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-4ghf-nbrc-m7e2
Aliases: CVE-2024-52806 GHSA-pxm4-r5ph-q2m2 |
SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. This vulnerability is fixed in 4.6.14 and 5.0.0-alpha.18. |
Affected by 1 other vulnerability. |
|
VCID-66su-j8hj-93d5
Aliases: CVE-2018-6519 GHSA-hhm8-2j4g-mpgg |
security update |
Affected by 6 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-8qrc-1cx7-zuac
Aliases: CVE-2024-52596 GHSA-2x65-fpch-2fcm |
SimpleSAMLphp xml-common is a common classes for handling XML-structures. When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. This vulnerability is fixed in 1.19.0. |
Affected by 1 other vulnerability. |
|
VCID-97b7-hgde-6bah
Aliases: CVE-2016-9814 GHSA-r8v4-7vwj-983x |
The validateSignature method in the SAML2\Utils class in SimpleSAMLphp before 1.14.10 and simplesamlphp/saml2 library before 1.9.1, 1.10.x before 1.10.3, and 2.x before 2.3.3 allows remote attackers to spoof SAML responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean. |
Affected by 7 other vulnerabilities. |
|
VCID-fqhw-vnhk-j7fu
Aliases: CVE-2025-27773 GHSA-46r4-f8gj-xg56 |
The SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. Prior to versions 4.17.0 and 5.0.0-alpha.20, there is a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message. Versions 4.17.0 and 5.0.0-alpha.20 contain a fix for the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ject-qv5p-hqfw
Aliases: CVE-2023-41890 GHSA-fv2h-753j-9g39 |
Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider. Prior to versions 1.0.3 and 2.9.2, when a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a malicious identity provider to craft a Saml2 response that is processed as if issued by another identity provider. It is also possible for a malicious end user to cause stored state intended for one identity provider to be used when processing the response from another provider. An application is impacted if they rely on any of these features in their authentication/authorization logic: the issuer of the generated identity and claims; or items in the stored request state (AuthenticationProperties). This issue is patched in versions 2.9.2 and 1.0.3. The `AcsCommandResultCreated` notification can be used to add the validation required if an upgrade to patched packages is not possible. |
Affected by 6 other vulnerabilities. |
|
VCID-r99h-renx-4bd1
Aliases: CVE-2018-7711 GHSA-g888-g2pp-82hf |
HTTPRedirect.php in the saml2 library in SimpleSAMLphp before 1.15.4 has an incorrect check of return values in the signature validation utilities, allowing an attacker to get invalid signatures accepted as valid by forcing an error during validation. This occurs because of a dependency on PHP functionality that interprets a -1 error code as a true boolean value. |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||