Search for packages
| purl | pkg:composer/simplesamlphp/saml2@2.3.9 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4ghf-nbrc-m7e2
Aliases: CVE-2024-52806 GHSA-pxm4-r5ph-q2m2 |
SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. This vulnerability is fixed in 4.6.14 and 5.0.0-alpha.18. |
Affected by 1 other vulnerability. |
|
VCID-8qrc-1cx7-zuac
Aliases: CVE-2024-52596 GHSA-2x65-fpch-2fcm |
SimpleSAMLphp xml-common is a common classes for handling XML-structures. When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. This vulnerability is fixed in 1.19.0. |
Affected by 1 other vulnerability. |
|
VCID-fqhw-vnhk-j7fu
Aliases: CVE-2025-27773 GHSA-46r4-f8gj-xg56 |
The SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. Prior to versions 4.17.0 and 5.0.0-alpha.20, there is a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message. Versions 4.17.0 and 5.0.0-alpha.20 contain a fix for the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ject-qv5p-hqfw
Aliases: CVE-2023-41890 GHSA-fv2h-753j-9g39 |
Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider. Prior to versions 1.0.3 and 2.9.2, when a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a malicious identity provider to craft a Saml2 response that is processed as if issued by another identity provider. It is also possible for a malicious end user to cause stored state intended for one identity provider to be used when processing the response from another provider. An application is impacted if they rely on any of these features in their authentication/authorization logic: the issuer of the generated identity and claims; or items in the stored request state (AuthenticationProperties). This issue is patched in versions 2.9.2 and 1.0.3. The `AcsCommandResultCreated` notification can be used to add the validation required if an upgrade to patched packages is not possible. |
Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-12T19:54:33.151232+00:00 | GitLab Importer | Affected by | VCID-fqhw-vnhk-j7fu | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2025-27773.yml | 38.6.0 |
| 2026-06-12T19:47:42.723344+00:00 | GitLab Importer | Affected by | VCID-8qrc-1cx7-zuac | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2024-52596.yml | 38.6.0 |
| 2026-06-12T19:47:35.157368+00:00 | GitLab Importer | Affected by | VCID-4ghf-nbrc-m7e2 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2024-52806.yml | 38.6.0 |
| 2026-06-12T19:06:14.299254+00:00 | GitLab Importer | Affected by | VCID-ject-qv5p-hqfw | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2023-41890.yml | 38.6.0 |