VulnerableCode Package Details - pkg:composer/simplesamlphp/saml2@3.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-ucwf-xdma-h7fc Aliases: CVE-2018-6519	Injection Vulnerability The SAML2 library in `SimpleSAMLphp` has a Regular Expression Denial of Service vulnerability for fraction-of-seconds data in a timestamp.	3.1.1 Affected by 0 other vulnerabilities.
VCID-wbt9-snjj-uuea Aliases: CVE-2018-7644	Improper signature validation The `XmlSecLibs` library as used in the saml2 library in SimpleSAMLphp incorrectly verifies signatures on SAML assertions, allowing a remote attacker to construct a crafted SAML assertion on behalf of an Identity Provider that would pass as cryptographically valid, thereby allowing them to impersonate a user from that Identity Provider, aka a key confusion issue.	3.1.3 Affected by 0 other vulnerabilities.
VCID-xx6m-pvgs-puga Aliases: CVE-2018-7711	Incorrect signature validation An incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation.	3.1.4 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-ucwf-xdma-h7fc
Aliases:
CVE-2018-6519

Injection Vulnerability The SAML2 library in `SimpleSAMLphp` has a Regular Expression Denial of Service vulnerability for fraction-of-seconds data in a timestamp.

3.1.1
Affected by 0 other vulnerabilities.

VCID-wbt9-snjj-uuea
Aliases:
CVE-2018-7644

Improper signature validation The `XmlSecLibs` library as used in the saml2 library in SimpleSAMLphp incorrectly verifies signatures on SAML assertions, allowing a remote attacker to construct a crafted SAML assertion on behalf of an Identity Provider that would pass as cryptographically valid, thereby allowing them to impersonate a user from that Identity Provider, aka a key confusion issue.

3.1.3
Affected by 0 other vulnerabilities.

VCID-xx6m-pvgs-puga
Aliases:
CVE-2018-7711

Incorrect signature validation An incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation.

3.1.4
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-v3bx-f3um-8ubc	Authentication Bypass by Alternate Name Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider. Prior to versions 1.0.3 and 2.9.2, when a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a malicious identity provider to craft a Saml2 response that is processed as if issued by another identity provider. It is also possible for a malicious end user to cause stored state intended for one identity provider to be used when processing the response from another provider. An application is impacted if they rely on any of these features in their authentication/authorization logic: the issuer of the generated identity and claims; or items in the stored request state (AuthenticationProperties). This issue is patched in versions 2.9.2 and 1.0.3. The `AcsCommandResultCreated` notification can be used to add the validation required if an upgrade to patched packages is not possible.	CVE-2023-41890 GHSA-fv2h-753j-9g39

Vulnerability

Summary

Aliases

VCID-v3bx-f3um-8ubc

Authentication Bypass by Alternate Name Sustainsys.Saml2 library adds SAML2P support to ASP.NET web sites, allowing the web site to act as a SAML2 Service Provider. Prior to versions 1.0.3 and 2.9.2, when a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a malicious identity provider to craft a Saml2 response that is processed as if issued by another identity provider. It is also possible for a malicious end user to cause stored state intended for one identity provider to be used when processing the response from another provider. An application is impacted if they rely on any of these features in their authentication/authorization logic: the issuer of the generated identity and claims; or items in the stored request state (AuthenticationProperties). This issue is patched in versions 2.9.2 and 1.0.3. The `AcsCommandResultCreated` notification can be used to add the validation required if an upgrade to patched packages is not possible.

CVE-2023-41890
GHSA-fv2h-753j-9g39

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:45:49.502465+00:00	GitLab Importer	Fixing	VCID-v3bx-f3um-8ubc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2023-41890.yml	38.6.0
2026-06-02T04:37:33.779653+00:00	GitLab Importer	Affected by	VCID-wbt9-snjj-uuea	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2018-7644.yml	38.6.0
2026-06-02T04:37:33.680615+00:00	GitLab Importer	Affected by	VCID-xx6m-pvgs-puga	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2018-7711.yml	38.6.0
2026-06-02T04:37:30.073653+00:00	GitLab Importer	Affected by	VCID-ucwf-xdma-h7fc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/saml2/CVE-2018-6519.yml	38.6.0