Search for packages
| purl | pkg:composer/simplesamlphp/simplesamlphp@1.14.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1u9j-pr96-wueh
Aliases: 201710-01 |
Improper Certificate Validation Signature validation bypass in simplesamlphp. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-2erd-t2hf-cbf7
Aliases: CVE-2018-6521 GHSA-qv5p-6wrc-79wg |
security update |
Affected by 4 other vulnerabilities. |
|
VCID-72je-vjsn-a3a3
Aliases: 201606-01 |
Link injection `www/logout.php` and `modules/core/www/no_cookie.php` are not checking the URLs obtained via the HTTP request before displaying them as the target of links that the user may click on. It allows attackers to display links targeting a malicious website inside a trusted site running SimpleSAMLphp, due to the lack of security checks involving the `link_href` and `retryURL` HTTP parameters, respectively. |
Affected by 18 other vulnerabilities. |
|
VCID-741q-jvqg-4qhq
Aliases: CVE-2017-18121 GHSA-fv7m-wc3v-wr3w |
security update |
Affected by 9 other vulnerabilities. |
|
VCID-8ra2-tfjs-c3a2
Aliases: CVE-2016-3124 GHSA-9327-mqm6-x97j |
The sanitycheck module in SimpleSAMLphp before 1.14.1 allows remote attackers to learn the PHP version on the system via unspecified vectors. |
Affected by 21 other vulnerabilities. |
|
VCID-9kdf-1k7y-8yge
Aliases: CVE-2017-12871 GHSA-ww3w-592j-5qrw |
The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.x through 1.14.11 makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging use of the first 16 bytes of the secret key as the initialization vector (IV). |
Affected by 14 other vulnerabilities. |
|
VCID-aq1f-4gx2-w7e2
Aliases: CVE-2018-6520 GHSA-2qfc-48v5-4w5h |
SimpleSAMLphp before 1.15.2 allows remote attackers to bypass an open redirect protection mechanism via crafted authority data in a URL. |
Affected by 4 other vulnerabilities. |
|
VCID-eryg-yprt-1uhd
Aliases: GHSA-fjr2-r2mp-484p |
Duplicate Advisory: SimpleSAMLphp signature validation bypass |
Affected by 6 other vulnerabilities. |
|
VCID-f81e-we99-3fcx
Aliases: GHSA-2r3v-q9x3-7g46 GMS-2020-602 |
Link injection in SimpleSAMLphp |
Affected by 18 other vulnerabilities. |
|
VCID-fwh5-cfnj-hfeg
Aliases: CVE-2017-12867 GHSA-597c-mh7m-48v7 |
security update |
Affected by 10 other vulnerabilities. |
|
VCID-hqfj-cd75-nkfa
Aliases: GHSA-j5g2-q29x-cw3h |
SimpleSAMLphp vulnerable to XXE in parsing SAML messages ## Withdrawn Advisory This advisory has been withdrawn because the vulnerability affects users of the SimpleSAMLphp tarball, not the SimpleSAMLphp Composer package. The underlying information about CVE-2024-52596 is still valid. ## Original Description # Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. ## Mitigation: Remove the `LIBXML_DTDLOAD | LIBXML_DTDATTR` options from `$options` is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 ## Background / details To be published on Dec 8th |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-mkss-szdn-vucw
Aliases: CVE-2017-12868 GHSA-j96g-47x2-46hv |
The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation. |
Affected by 11 other vulnerabilities. |
|
VCID-mt8a-t14t-fycw
Aliases: CVE-2020-5301 GHSA-24m3-w8g9-jwpq |
Information disclosure of source code in SimpleSAMLphp |
Affected by 1 other vulnerability. |
|
VCID-n129-376a-y3gj
Aliases: CVE-2017-12870 GHSA-44pr-mgcp-v36r |
SimpleSAMLphp 1.14.12 and earlier make it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the aesEncrypt and aesDecrypt methods in the SimpleSAML/Utils/Crypto class to protect session identifiers in replies to non-HTTPS service providers. |
Affected by 13 other vulnerabilities. |
|
VCID-nm6r-f68t-ufht
Aliases: CVE-2017-12872 GHSA-v882-949x-6v28 |
The (1) Htpasswd authentication source in the authcrypt module and (2) SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow remote attackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input. |
Affected by 14 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-npe5-1a82-bbh2
Aliases: GHSA-vpr3-cw3h-prw8 |
SimpleSAMLphp Reflected Cross-site Scripting vulnerability |
Affected by 4 other vulnerabilities. |
|
VCID-pwbg-dz5n-t7fj
Aliases: GMS-2019-149 |
Cross-site Scripting Reflected Cross-Site-Scripting in simplesamlphp. |
Affected by 5 other vulnerabilities. |
|
VCID-rts2-upqp-7kee
Aliases: CVE-2017-12873 GHSA-gp2m-7cfp-h6gf |
security update |
Affected by 16 other vulnerabilities. |
|
VCID-v5hk-k2vp-tfgg
Aliases: CVE-2016-9955 GHSA-p9cm-r7jg-8q3g |
Incorrect signature verification in SimpleSAMLphp |
Affected by 16 other vulnerabilities. |
|
VCID-vn25-u6v1-cqh1
Aliases: GHSA-v858-922f-fj9v |
SimpleSAMLphp Link Injection vulnerability |
Affected by 18 other vulnerabilities. |
|
VCID-wmg4-fqe6-rfb8
Aliases: CVE-2017-12869 GHSA-qc43-78vj-vg7p |
security update |
Affected by 11 other vulnerabilities. |
|
VCID-wtmm-kpq1-4kc2
Aliases: CVE-2017-18122 GHSA-j4qf-3w33-8cgc |
security update |
Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||