VulnerableCode Package Details - pkg:composer/simplesamlphp/simplesamlphp@1.18.4

Search for packages

Vulnerability	Summary	Fixed by
VCID-hqfj-cd75-nkfa Aliases: GHSA-j5g2-q29x-cw3h	SimpleSAMLphp vulnerable to XXE in parsing SAML messages ## Withdrawn Advisory This advisory has been withdrawn because the vulnerability affects users of the SimpleSAMLphp tarball, not the SimpleSAMLphp Composer package. The underlying information about CVE-2024-52596 is still valid. ## Original Description # Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. ## Mitigation: Remove the `LIBXML_DTDLOAD \| LIBXML_DTDATTR` options from `$options` is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 ## Background / details To be published on Dec 8th	2.0.15 Affected by 0 other vulnerabilities. 2.1.0-rc1 Affected by 0 other vulnerabilities. 2.1.7 Affected by 0 other vulnerabilities. 2.2.4 Affected by 0 other vulnerabilities. 2.3.4 Affected by 0 other vulnerabilities.
VCID-mt8a-t14t-fycw Aliases: CVE-2020-5301 GHSA-24m3-w8g9-jwpq	Information disclosure of source code in SimpleSAMLphp	1.18.6 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-hqfj-cd75-nkfa
Aliases:
GHSA-j5g2-q29x-cw3h

SimpleSAMLphp vulnerable to XXE in parsing SAML messages ## Withdrawn Advisory This advisory has been withdrawn because the vulnerability affects users of the SimpleSAMLphp tarball, not the SimpleSAMLphp Composer package. The underlying information about CVE-2024-52596 is still valid. ## Original Description # Summary When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. ## Mitigation: Remove the `LIBXML_DTDLOAD | LIBXML_DTDATTR` options from `$options` is in: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 ## Background / details To be published on Dec 8th

2.0.15
Affected by 0 other vulnerabilities.

2.1.0-rc1
Affected by 0 other vulnerabilities.

2.1.7
Affected by 0 other vulnerabilities.

2.2.4
Affected by 0 other vulnerabilities.

2.3.4
Affected by 0 other vulnerabilities.

VCID-mt8a-t14t-fycw
Aliases:
CVE-2020-5301
GHSA-24m3-w8g9-jwpq

Information disclosure of source code in SimpleSAMLphp

1.18.6
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-uuud-qxr7-4qhh	Log injection in SimpleSAMLphp	CVE-2020-5225 GHSA-6gc6-m364-85ww
VCID-vxbq-9k5c-4uf5	Cross-site scripting in SimpleSAMLphp	CVE-2020-5226 GHSA-mj9p-v2r8-wf8w

Vulnerability

Summary

Aliases

VCID-uuud-qxr7-4qhh

Log injection in SimpleSAMLphp

CVE-2020-5225
GHSA-6gc6-m364-85ww

VCID-vxbq-9k5c-4uf5

Cross-site scripting in SimpleSAMLphp

CVE-2020-5226
GHSA-mj9p-v2r8-wf8w

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T19:47:38.324450+00:00	GitLab Importer	Affected by	VCID-hqfj-cd75-nkfa	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/simplesamlphp/GHSA-j5g2-q29x-cw3h.yml	38.6.0
2026-06-12T17:20:01.225706+00:00	GitLab Importer	Affected by	VCID-mt8a-t14t-fycw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/simplesamlphp/CVE-2020-5301.yml	38.6.0
2026-06-12T08:01:29.625390+00:00	GithubOSV Importer	Fixing	VCID-vxbq-9k5c-4uf5	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-mj9p-v2r8-wf8w/GHSA-mj9p-v2r8-wf8w.json	38.6.0
2026-06-12T08:01:25.050383+00:00	GithubOSV Importer	Fixing	VCID-uuud-qxr7-4qhh	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-6gc6-m364-85ww/GHSA-6gc6-m364-85ww.json	38.6.0
2026-06-11T20:25:47.415065+00:00	GHSA Importer	Fixing	VCID-vxbq-9k5c-4uf5	https://github.com/advisories/GHSA-mj9p-v2r8-wf8w	38.6.0
2026-06-11T20:25:47.377370+00:00	GHSA Importer	Fixing	VCID-uuud-qxr7-4qhh	https://github.com/advisories/GHSA-6gc6-m364-85ww	38.6.0