Search for packages
| purl | pkg:composer/simplesamlphp/simplesamlphp@1.14.13 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1u9j-pr96-wueh
Aliases: 201710-01 |
Improper Certificate Validation Signature validation bypass in simplesamlphp. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-2erd-t2hf-cbf7
Aliases: CVE-2018-6521 GHSA-qv5p-6wrc-79wg |
security update |
Affected by 4 other vulnerabilities. |
|
VCID-741q-jvqg-4qhq
Aliases: CVE-2017-18121 GHSA-fv7m-wc3v-wr3w |
security update |
Affected by 9 other vulnerabilities. |
|
VCID-aq1f-4gx2-w7e2
Aliases: CVE-2018-6520 GHSA-2qfc-48v5-4w5h |
SimpleSAMLphp before 1.15.2 allows remote attackers to bypass an open redirect protection mechanism via crafted authority data in a URL. |
Affected by 4 other vulnerabilities. |
|
VCID-eryg-yprt-1uhd
Aliases: GHSA-fjr2-r2mp-484p |
Duplicate Advisory: SimpleSAMLphp signature validation bypass |
Affected by 6 other vulnerabilities. |
|
VCID-fwh5-cfnj-hfeg
Aliases: CVE-2017-12867 GHSA-597c-mh7m-48v7 |
security update |
Affected by 10 other vulnerabilities. |
|
VCID-hqfj-cd75-nkfa
Aliases: GHSA-j5g2-q29x-cw3h |
SimpleSAMLphp vulnerable to XXE in parsing SAML messages ## Withdrawn Advisory This advisory has been withdrawn because the vulnerability affects users of the SimpleSAMLphp tarball, not the SimpleSAMLphp Composer package. The underlying information about CVE-2024-52596 is still valid. ## Original Description # Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. ## Mitigation: Remove the `LIBXML_DTDLOAD | LIBXML_DTDATTR` options from `$options` is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 ## Background / details To be published on Dec 8th |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-mkss-szdn-vucw
Aliases: CVE-2017-12868 GHSA-j96g-47x2-46hv |
The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation. |
Affected by 11 other vulnerabilities. |
|
VCID-mt8a-t14t-fycw
Aliases: CVE-2020-5301 GHSA-24m3-w8g9-jwpq |
Information disclosure of source code in SimpleSAMLphp |
Affected by 1 other vulnerability. |
|
VCID-npe5-1a82-bbh2
Aliases: GHSA-vpr3-cw3h-prw8 |
SimpleSAMLphp Reflected Cross-site Scripting vulnerability |
Affected by 4 other vulnerabilities. |
|
VCID-pwbg-dz5n-t7fj
Aliases: GMS-2019-149 |
Cross-site Scripting Reflected Cross-Site-Scripting in simplesamlphp. |
Affected by 5 other vulnerabilities. |
|
VCID-wmg4-fqe6-rfb8
Aliases: CVE-2017-12869 GHSA-qc43-78vj-vg7p |
security update |
Affected by 11 other vulnerabilities. |
|
VCID-wtmm-kpq1-4kc2
Aliases: CVE-2017-18122 GHSA-j4qf-3w33-8cgc |
security update |
Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-n129-376a-y3gj | SimpleSAMLphp 1.14.12 and earlier make it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the aesEncrypt and aesDecrypt methods in the SimpleSAML/Utils/Crypto class to protect session identifiers in replies to non-HTTPS service providers. |
CVE-2017-12870
GHSA-44pr-mgcp-v36r |