{"url":"http://public2.vulnerablecode.io/api/packages/274586?format=json","purl":"pkg:deb/debian/simplesamlphp@1.9.2-1","type":"deb","namespace":"debian","name":"simplesamlphp","version":"1.9.2-1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.19.7-1+deb12u2","latest_non_vulnerable_version":"1.19.7-1+deb12u2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51994?format=json","vulnerability_id":"VCID-139j-7afy-wyf1","summary":"Improper Input Validation\nRob Richards XmlSecLibs, as used for example by SimpleSAMLphp, performs incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML message.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-3465","reference_id":"","reference_type":"","scores":[{"value":"0.01873","scoring_system":"epss","scoring_elements":"0.83485","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01873","scoring_system":"epss","scoring_elements":"0.8346","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-3465"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3465","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3465"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/robrichards/xmlseclibs/CVE-2019-3465.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/robrichards/xmlseclibs/CVE-2019-3465.yaml"},{"reference_url":"https://github.com/robrichards/xmlseclibs/commit/0a53d3c3aa87564910cae4ed01416441d3ae0db5","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/robrichards/xmlseclibs/commit/0a53d3c3aa87564910cae4ed01416441d3ae0db5"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/11/msg00003.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/11/msg00003.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KID7C4AZPYYIZQIPSLANP4R2RQR6YK3","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KID7C4AZPYYIZQIPSLANP4R2RQR6YK3"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KID7C4AZPYYIZQIPSLANP4R2RQR6YK3/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KID7C4AZPYYIZQIPSLANP4R2RQR6YK3/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AB34ILMJ67CUROBOR6YPKB46VHXLOAJ4","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AB34ILMJ67CUROBOR6YPKB46VHXLOAJ4"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AB34ILMJ67CUROBOR6YPKB46VHXLOAJ4/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AB34ILMJ67CUROBOR6YPKB46VHXLOAJ4/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BBKVDUZ7G5ZOUO4BFJWLNJ6VOKBQJX5U","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BBKVDUZ7G5ZOUO4BFJWLNJ6VOKBQJX5U"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BBKVDUZ7G5ZOUO4BFJWLNJ6VOKBQJX5U/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BBKVDUZ7G5ZOUO4BFJWLNJ6VOKBQJX5U/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNFMY5RRLU63P25HEBVDO5KAVI7TX7JV","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNFMY5RRLU63P25HEBVDO5KAVI7TX7JV"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNFMY5RRLU63P25HEBVDO5KAVI7TX7JV/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNFMY5RRLU63P25HEBVDO5KAVI7TX7JV/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ESKJTWLE7QZBQ3EKMYXKMBQG3JDEJWM6","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ESKJTWLE7QZBQ3EKMYXKMBQG3JDEJWM6"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ESKJTWLE7QZBQ3EKMYXKMBQG3JDEJWM6/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ESKJTWLE7QZBQ3EKMYXKMBQG3JDEJWM6/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HBE2SJSXG7J4XYLJ2H6HC2VPPOG2OMUN","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HBE2SJSXG7J4XYLJ2H6HC2VPPOG2OMUN"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HBE2SJSXG7J4XYLJ2H6HC2VPPOG2OMUN/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HBE2SJSXG7J4XYLJ2H6HC2VPPOG2OMUN/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAWOVYLZKYDCQBLQEJCFAAD3KQTBPHXE","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAWOVYLZKYDCQBLQEJCFAAD3KQTBPHXE"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAWOVYLZKYDCQBLQEJCFAAD3KQTBPHXE/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAWOVYLZKYDCQBLQEJCFAAD3KQTBPHXE/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCSR3V6LNWJAD37VQB6M2K7P4RQSCVFG","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCSR3V6LNWJAD37VQB6M2K7P4RQSCVFG"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCSR3V6LNWJAD37VQB6M2K7P4RQSCVFG/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCSR3V6LNWJAD37VQB6M2K7P4RQSCVFG/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBSSRV5Q7JFCYO46A3EN624UZ4KXFQ2M","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBSSRV5Q7JFCYO46A3EN624UZ4KXFQ2M"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBSSRV5Q7JFCYO46A3EN624UZ4KXFQ2M/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XBSSRV5Q7JFCYO46A3EN624UZ4KXFQ2M/"},{"reference_url":"https://seclists.org/bugtraq/2019/Nov/8","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://seclists.org/bugtraq/2019/Nov/8"},{"reference_url":"https://simplesamlphp.org/security/201911-01","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201911-01"},{"reference_url":"https://www.debian.org/security/2019/dsa-4560","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2019/dsa-4560"},{"reference_url":"https://www.tenable.com/security/tns-2019-09","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.tenable.com/security/tns-2019-09"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944107","reference_id":"944107","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944107"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-3465","reference_id":"CVE-2019-3465","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-3465"},{"reference_url":"https://github.com/advisories/GHSA-pqm6-cgwr-x6pf","reference_id":"GHSA-pqm6-cgwr-x6pf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pqm6-cgwr-x6pf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/515563?format=json","purl":"pkg:deb/debian/simplesamlphp@1.14.11-1%2Bdeb9u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.14.11-1%252Bdeb9u2"},{"url":"http://public2.vulnerablecode.io/api/packages/516464?format=json","purl":"pkg:deb/debian/simplesamlphp@1.16.3-1%2Bdeb10u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-ma9b-k5br-ffhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.16.3-1%252Bdeb10u2"},{"url":"http://public2.vulnerablecode.io/api/packages/526394?format=json","purl":"pkg:deb/debian/simplesamlphp@1.19.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-ma9b-k5br-ffhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.19.0-1"}],"aliases":["CVE-2019-3465","GHSA-pqm6-cgwr-x6pf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-139j-7afy-wyf1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52172?format=json","vulnerability_id":"VCID-2cd3-p3xz-k3hx","summary":"Inclusion of Sensitive Information in Log Files\nLog injection in `SimpleSAMLphp` before version. The `www/erroreport.php` script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under specific circumstances, to inject new log lines by manually crafting this report ID. When configured to use the file logging handler, `SimpleSAMLphp` will output all its logs by appending each log line to a given file. Since the `reportID` parameter received in a request sent to `www/errorreport.php` was not properly sanitized, it was possible to inject newline characters into it, effectively allowing a malicious user to inject new log lines with arbitrary content.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5225","reference_id":"","reference_type":"","scores":[{"value":"0.00173","scoring_system":"epss","scoring_elements":"0.38455","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00173","scoring_system":"epss","scoring_elements":"0.38544","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5225"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5225","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5225"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-6gc6-m364-85ww","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-6gc6-m364-85ww"},{"reference_url":"https://simplesamlphp.org/security/202001-02","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/202001-02"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5225","reference_id":"CVE-2020-5225","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5225"},{"reference_url":"https://github.com/advisories/GHSA-6gc6-m364-85ww","reference_id":"GHSA-6gc6-m364-85ww","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6gc6-m364-85ww"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/526394?format=json","purl":"pkg:deb/debian/simplesamlphp@1.19.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-ma9b-k5br-ffhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.19.0-1"}],"aliases":["CVE-2020-5225","GHSA-6gc6-m364-85ww"],"risk_score":2.0,"exploitability":"0.5","weighted_severity":"4.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2cd3-p3xz-k3hx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39369?format=json","vulnerability_id":"VCID-4gux-4jrc-w7ce","summary":"URL Redirection to Untrusted Site (Open Redirect)\n`SimpleSAMLphp` allows remote attackers to bypass an open redirect protection mechanism via crafted authority data in a URL.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6520","reference_id":"","reference_type":"","scores":[{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37309","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37218","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6520"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6520","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6520"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2018-6520.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2018-6520.yaml"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp/issues/1473","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp/issues/1473"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6520","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6520"},{"reference_url":"https://simplesamlphp.org/security/201801-02","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201801-02"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516464?format=json","purl":"pkg:deb/debian/simplesamlphp@1.16.3-1%2Bdeb10u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-ma9b-k5br-ffhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.16.3-1%252Bdeb10u2"}],"aliases":["CVE-2018-6520","GHSA-2qfc-48v5-4w5h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4gux-4jrc-w7ce"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56788?format=json","vulnerability_id":"VCID-6c55-4pyx-ckbx","summary":"The SimpleSAMLphp SAML2 library incorrectly verifies signatures for HTTP-Redirect binding\nThere's a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message.\n\nI believe that it exists for v4 only. I have not yet developed a PoC.\n\nV5 is well designed and instead builds the signed query from the same message that will be consumed.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27773","reference_id":"","reference_type":"","scores":[{"value":"0.00157","scoring_system":"epss","scoring_elements":"0.36254","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27773"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27773","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27773"},{"reference_url":"https://github.com/simplesamlphp/saml2","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/saml2"},{"reference_url":"https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-11T19:26:31Z/"}],"url":"https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113"},{"reference_url":"https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-11T19:26:31Z/"}],"url":"https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217"},{"reference_url":"https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-11T19:26:31Z/"}],"url":"https://github.com/simplesamlphp/saml2/commit/7867d6099dc7f31bed1ea10e5bea159c5623d2a0"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00013.html","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00013.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100595","reference_id":"1100595","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100595"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27773","reference_id":"CVE-2025-27773","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27773"},{"reference_url":"https://github.com/advisories/GHSA-46r4-f8gj-xg56","reference_id":"GHSA-46r4-f8gj-xg56","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-46r4-f8gj-xg56"},{"reference_url":"https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56","reference_id":"GHSA-46r4-f8gj-xg56","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-11T19:26:31Z/"}],"url":"https://github.com/simplesamlphp/saml2/security/advisories/GHSA-46r4-f8gj-xg56"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/769631?format=json","purl":"pkg:deb/debian/simplesamlphp@1.19.7-1%2Bdeb12u2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.19.7-1%252Bdeb12u2"}],"aliases":["CVE-2025-27773","GHSA-46r4-f8gj-xg56"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6c55-4pyx-ckbx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56282?format=json","vulnerability_id":"VCID-8b8r-g7e2-qfb2","summary":"SimpleSAMLphp SAML2 has an XXE in parsing SAML messages\nSummary\n\nWhen loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52806","reference_id":"","reference_type":"","scores":[{"value":"0.00183","scoring_system":"epss","scoring_elements":"0.39843","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52806"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52806","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52806"},{"reference_url":"https://github.com/simplesamlphp/saml2","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/saml2"},{"reference_url":"https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-02T19:10:45Z/"}],"url":"https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088904","reference_id":"1088904","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088904"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52806","reference_id":"CVE-2024-52806","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52806"},{"reference_url":"https://github.com/advisories/GHSA-pxm4-r5ph-q2m2","reference_id":"GHSA-pxm4-r5ph-q2m2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-pxm4-r5ph-q2m2"},{"reference_url":"https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2","reference_id":"GHSA-pxm4-r5ph-q2m2","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-02T19:10:45Z/"}],"url":"https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/769631?format=json","purl":"pkg:deb/debian/simplesamlphp@1.19.7-1%2Bdeb12u2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.19.7-1%252Bdeb12u2"}],"aliases":["CVE-2024-52806","GHSA-pxm4-r5ph-q2m2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8b8r-g7e2-qfb2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38795?format=json","vulnerability_id":"VCID-amz8-zhqx-p3c5","summary":"Improper Input Validation\nThe InfoCard module for `SimpleSAMLphp` allows attackers to spoof XML messages by leveraging an incorrect check of return values in signature validation utilities.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12874","reference_id":"","reference_type":"","scores":[{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.51836","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.51777","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12874"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp-module-infocard/CVE-2017-12874.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp-module-infocard/CVE-2017-12874.yaml"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp-module-infocard/commit/63b84cc837ea62bf87f4bf4af29b4420f49311a9","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp-module-infocard/commit/63b84cc837ea62bf87f4bf4af29b4420f49311a9"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12874","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12874"},{"reference_url":"https://simplesamlphp.org/security/201612-03","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201612-03"},{"reference_url":"https://www.debian.org/security/2018/dsa-4127","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2018/dsa-4127"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/274588?format=json","purl":"pkg:deb/debian/simplesamlphp@1.13.1-2%2Bdeb8u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-amz8-zhqx-p3c5"},{"vulnerability":"VCID-b3fn-bnh5-qyg4"},{"vulnerability":"VCID-d1d1-jng1-4fe6"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-jv7n-m3cf-jfex"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"},{"vulnerability":"VCID-zemd-kbb3-s3cr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.13.1-2%252Bdeb8u1"},{"url":"http://public2.vulnerablecode.io/api/packages/515563?format=json","purl":"pkg:deb/debian/simplesamlphp@1.14.11-1%2Bdeb9u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.14.11-1%252Bdeb9u2"}],"aliases":["CVE-2017-12874","GHSA-fj28-869x-vv5g"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-amz8-zhqx-p3c5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38480?format=json","vulnerability_id":"VCID-b3fn-bnh5-qyg4","summary":"Incorrect signature verification of SAML 1 messages\nAn incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation. get those messages accepted as valid and coming from a trusted entity. In practice, this means full capabilities to impersonate any individual at a given service provider. This vulnerability is not to be confused with the one described and related to SAML 2 messages.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-9955","reference_id":"","reference_type":"","scores":[{"value":"0.0041","scoring_system":"epss","scoring_elements":"0.61698","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0041","scoring_system":"epss","scoring_elements":"0.6165","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-9955"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9955","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9955"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2016-9955.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2016-9955.yaml"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-p9cm-r7jg-8q3g","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-p9cm-r7jg-8q3g"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-9955","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-9955"},{"reference_url":"https://simplesamlphp.org/security/201612-02","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201612-02"},{"reference_url":"http://www.securityfocus.com/bid/94946","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/94946"},{"reference_url":"https://github.com/advisories/GHSA-p9cm-r7jg-8q3g","reference_id":"GHSA-p9cm-r7jg-8q3g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p9cm-r7jg-8q3g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/515563?format=json","purl":"pkg:deb/debian/simplesamlphp@1.14.11-1%2Bdeb9u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.14.11-1%252Bdeb9u2"}],"aliases":["CVE-2016-9955","GHSA-p9cm-r7jg-8q3g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b3fn-bnh5-qyg4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38794?format=json","vulnerability_id":"VCID-d1d1-jng1-4fe6","summary":"Session Fixation\nSimpleSAMLphp might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12873","reference_id":"","reference_type":"","scores":[{"value":"0.00725","scoring_system":"epss","scoring_elements":"0.72952","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00725","scoring_system":"epss","scoring_elements":"0.7299","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12873"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12873.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12873.yaml"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-gp2m-7cfp-h6gf","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-gp2m-7cfp-h6gf"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html"},{"reference_url":"https://simplesamlphp.org/security/201612-04","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201612-04"},{"reference_url":"https://www.debian.org/security/2018/dsa-4127","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2018/dsa-4127"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12873","reference_id":"CVE-2017-12873","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12873"},{"reference_url":"https://github.com/advisories/GHSA-gp2m-7cfp-h6gf","reference_id":"GHSA-gp2m-7cfp-h6gf","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gp2m-7cfp-h6gf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/274588?format=json","purl":"pkg:deb/debian/simplesamlphp@1.13.1-2%2Bdeb8u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-amz8-zhqx-p3c5"},{"vulnerability":"VCID-b3fn-bnh5-qyg4"},{"vulnerability":"VCID-d1d1-jng1-4fe6"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-jv7n-m3cf-jfex"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"},{"vulnerability":"VCID-zemd-kbb3-s3cr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.13.1-2%252Bdeb8u1"},{"url":"http://public2.vulnerablecode.io/api/packages/515563?format=json","purl":"pkg:deb/debian/simplesamlphp@1.14.11-1%2Bdeb9u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.14.11-1%252Bdeb9u2"}],"aliases":["CVE-2017-12873","GHSA-gp2m-7cfp-h6gf"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d1d1-jng1-4fe6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52171?format=json","vulnerability_id":"VCID-dggq-bf45-aqga","summary":"Cross-site Scripting\nCross-site scripting in `SimpleSAMLphp`. The `www/erroreport.php` script allows error reports to be submitted and sent to the system administrator. Starting with `SimpleSAMLphp`, a new `SimpleSAML\\Utils\\EMail` class was introduced to handle sending emails, implemented as a wrapper of an external dependency. This new wrapper allows us to use Twig templates in order to create the email sent with an error report. Since Twig provides automatic escaping of variables, manual escaping of the free-text field in `www/errorreport.php` was removed to avoid double escaping. However, for those not using the new user interface yet, an email template is hardcoded into the class itself in plain PHP. Since no escaping is provided in this template, it is then possible to inject HTML inside the template by manually crafting the contents of the free-text field.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5226","reference_id":"","reference_type":"","scores":[{"value":"0.00337","scoring_system":"epss","scoring_elements":"0.56783","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00337","scoring_system":"epss","scoring_elements":"0.56834","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5226"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5226","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5226"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-mj9p-v2r8-wf8w","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-mj9p-v2r8-wf8w"},{"reference_url":"https://simplesamlphp.org/security/202001-01","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/202001-01"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5226","reference_id":"CVE-2020-5226","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5226"},{"reference_url":"https://github.com/advisories/GHSA-mj9p-v2r8-wf8w","reference_id":"GHSA-mj9p-v2r8-wf8w","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mj9p-v2r8-wf8w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/526394?format=json","purl":"pkg:deb/debian/simplesamlphp@1.19.0-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-ma9b-k5br-ffhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.19.0-1"}],"aliases":["CVE-2020-5226","GHSA-mj9p-v2r8-wf8w"],"risk_score":2.0,"exploitability":"0.5","weighted_severity":"4.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dggq-bf45-aqga"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38799?format=json","vulnerability_id":"VCID-dgs2-3xbu-c3ff","summary":"Information Exposure\nThe `SimpleSAML_Session` class in SimpleSAMLphp allows remote attackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12872","reference_id":"","reference_type":"","scores":[{"value":"0.00404","scoring_system":"epss","scoring_elements":"0.61325","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00404","scoring_system":"epss","scoring_elements":"0.61277","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12872"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12872","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12872"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12872.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12872.yaml"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp/commit/b72c79e3070f930d758f5c269333d63ed7509e2e","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp/commit/b72c79e3070f930d758f5c269333d63ed7509e2e"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/06/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2018/06/msg00017.html"},{"reference_url":"https://simplesamlphp.org/security/201703-01","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201703-01"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12872","reference_id":"CVE-2017-12872","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12872"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516464?format=json","purl":"pkg:deb/debian/simplesamlphp@1.16.3-1%2Bdeb10u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-ma9b-k5br-ffhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.16.3-1%252Bdeb10u2"}],"aliases":["CVE-2017-12872","GHSA-v882-949x-6v28"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dgs2-3xbu-c3ff"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38796?format=json","vulnerability_id":"VCID-dvwj-zd42-nbhe","summary":"Information Exposure\nSimpleSAMLphp makes it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the `aesEncrypt` and `aesDecrypt` methods in the `SimpleSAML/Utils/Crypto` class to protect session identifiers in replies to non-HTTPS service providers.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12870","reference_id":"","reference_type":"","scores":[{"value":"0.0026","scoring_system":"epss","scoring_elements":"0.49625","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0026","scoring_system":"epss","scoring_elements":"0.49563","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12870"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12870","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12870"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12870.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12870.yaml"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp/commit/4c939be1696bacb2b95ee11d4ebc5814a08b04c5","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp/commit/4c939be1696bacb2b95ee11d4ebc5814a08b04c5"},{"reference_url":"https://simplesamlphp.org/security/201704-01","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201704-01"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12870","reference_id":"CVE-2017-12870","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12870"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516464?format=json","purl":"pkg:deb/debian/simplesamlphp@1.16.3-1%2Bdeb10u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-ma9b-k5br-ffhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.16.3-1%252Bdeb10u2"}],"aliases":["CVE-2017-12870","GHSA-44pr-mgcp-v36r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dvwj-zd42-nbhe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38777?format=json","vulnerability_id":"VCID-gwtm-bdae-3ufj","summary":"Invalid token creation and validation\nThe `SimpleSAML_Auth_TimeLimitedToken` class in SimpleSAMLphp allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12867","reference_id":"","reference_type":"","scores":[{"value":"0.00241","scoring_system":"epss","scoring_elements":"0.47613","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00241","scoring_system":"epss","scoring_elements":"0.47549","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12867"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12867.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12867.yaml"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp/commit/608f24c2d5afd70c2af050785d2b12f878b33c68","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp/commit/608f24c2d5afd70c2af050785d2b12f878b33c68"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html"},{"reference_url":"https://simplesamlphp.org/security/201708-01","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201708-01"},{"reference_url":"https://www.debian.org/security/2018/dsa-4127","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2018/dsa-4127"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12867","reference_id":"CVE-2017-12867","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12867"},{"reference_url":"https://github.com/advisories/GHSA-597c-mh7m-48v7","reference_id":"GHSA-597c-mh7m-48v7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-597c-mh7m-48v7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/274588?format=json","purl":"pkg:deb/debian/simplesamlphp@1.13.1-2%2Bdeb8u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-amz8-zhqx-p3c5"},{"vulnerability":"VCID-b3fn-bnh5-qyg4"},{"vulnerability":"VCID-d1d1-jng1-4fe6"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-jv7n-m3cf-jfex"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"},{"vulnerability":"VCID-zemd-kbb3-s3cr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.13.1-2%252Bdeb8u1"},{"url":"http://public2.vulnerablecode.io/api/packages/515563?format=json","purl":"pkg:deb/debian/simplesamlphp@1.14.11-1%2Bdeb9u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.14.11-1%252Bdeb9u2"},{"url":"http://public2.vulnerablecode.io/api/packages/516464?format=json","purl":"pkg:deb/debian/simplesamlphp@1.16.3-1%2Bdeb10u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-ma9b-k5br-ffhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.16.3-1%252Bdeb10u2"}],"aliases":["CVE-2017-12867","GHSA-597c-mh7m-48v7"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gwtm-bdae-3ufj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38472?format=json","vulnerability_id":"VCID-jv7n-m3cf-jfex","summary":"Information leakage in sanitycheck\nA remote attacker could learn information about the exact PHP version run by the affected system, allowing the search for vulnerabilities known to work with that version.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-3124","reference_id":"","reference_type":"","scores":[{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42314","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42239","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-3124"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3124","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3124"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2016-3124.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2016-3124.yaml"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp/commit/952027dd7f794ff4b2d4f5eddf549c5b5070fa38","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/simplesamlphp/simplesamlphp/commit/952027dd7f794ff4b2d4f5eddf549c5b5070fa38"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-3124","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-3124"},{"reference_url":"https://simplesamlphp.org/security/201603-01","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201603-01"},{"reference_url":"http://www.securityfocus.com/bid/96134","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/96134"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817162","reference_id":"817162","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817162"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/515563?format=json","purl":"pkg:deb/debian/simplesamlphp@1.14.11-1%2Bdeb9u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.14.11-1%252Bdeb9u2"}],"aliases":["CVE-2016-3124","GHSA-9327-mqm6-x97j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jv7n-m3cf-jfex"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38798?format=json","vulnerability_id":"VCID-k5d6-k216-8ub8","summary":"Incorrect IV generation for encryption\nThe `aesEncrypt` method in `lib/SimpleSAML/Utils/Crypto` makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging use of the first bytes of the secret key as the initialization vector (IV).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12871","reference_id":"","reference_type":"","scores":[{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23783","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23687","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12871"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12871","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12871"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12871.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12871.yaml"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp/commit/77df6a932d46daa35e364925eb73a175010dc904","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp/commit/77df6a932d46daa35e364925eb73a175010dc904"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp/commit/ccf75981187aa88f7165abdb1b1965c0934acda0","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp/commit/ccf75981187aa88f7165abdb1b1965c0934acda0"},{"reference_url":"https://simplesamlphp.org/security/201703-02","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201703-02"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12871","reference_id":"CVE-2017-12871","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12871"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516464?format=json","purl":"pkg:deb/debian/simplesamlphp@1.16.3-1%2Bdeb10u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-ma9b-k5br-ffhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.16.3-1%252Bdeb10u2"}],"aliases":["CVE-2017-12871","GHSA-ww3w-592j-5qrw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k5d6-k216-8ub8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56285?format=json","vulnerability_id":"VCID-ma9b-k5br-ffhd","summary":"SimpleSAMLphp xml-common XXE vulnerability\nWhen loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52596","reference_id":"","reference_type":"","scores":[{"value":"0.00218","scoring_system":"epss","scoring_elements":"0.44529","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52596"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52596","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52596"},{"reference_url":"https://github.com/simplesamlphp/xml-common","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/xml-common"},{"reference_url":"https://github.com/simplesamlphp/xml-common/commit/fa4ade391c3194466acf5fbfd5d2ecdbf5e831f5","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-02T18:32:34Z/"}],"url":"https://github.com/simplesamlphp/xml-common/commit/fa4ade391c3194466acf5fbfd5d2ecdbf5e831f5"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/12/msg00001.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2024/12/msg00001.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088904","reference_id":"1088904","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088904"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52596","reference_id":"CVE-2024-52596","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52596"},{"reference_url":"https://github.com/advisories/GHSA-2x65-fpch-2fcm","reference_id":"GHSA-2x65-fpch-2fcm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2x65-fpch-2fcm"},{"reference_url":"https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm","reference_id":"GHSA-2x65-fpch-2fcm","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-02T18:32:34Z/"}],"url":"https://github.com/simplesamlphp/xml-common/security/advisories/GHSA-2x65-fpch-2fcm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/769631?format=json","purl":"pkg:deb/debian/simplesamlphp@1.19.7-1%2Bdeb12u2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.19.7-1%252Bdeb12u2"}],"aliases":["CVE-2024-52596","GHSA-2x65-fpch-2fcm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ma9b-k5br-ffhd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39375?format=json","vulnerability_id":"VCID-mfwu-mfhq-fkh8","summary":"Improper Verification of Cryptographic Signature\nA SimpleSAMLphp Service Provider using SAML will regard as valid any unsigned SAML response containing more than one signed assertion, provided that the signature of at least one of the assertions is valid. Attributes contained in all the assertions received will be merged and the entityID of the first assertion received will be used, allowing an attacker to impersonate any user of any IdP given an assertion signed by the targeted IdP.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-18122","reference_id":"","reference_type":"","scores":[{"value":"0.00308","scoring_system":"epss","scoring_elements":"0.543","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00308","scoring_system":"epss","scoring_elements":"0.54243","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-18122"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-18122.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-18122.yaml"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp/commit/e2d53086abbb253efb24ddcb49b116246eb0b6ca","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp/commit/e2d53086abbb253efb24ddcb49b116246eb0b6ca"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/02/msg00008.html","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2018/02/msg00008.html"},{"reference_url":"https://simplesamlphp.org/security/201710-01","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201710-01"},{"reference_url":"https://www.debian.org/security/2018/dsa-4127","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2018/dsa-4127"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889286","reference_id":"889286","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889286"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18122","reference_id":"CVE-2017-18122","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18122"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/274588?format=json","purl":"pkg:deb/debian/simplesamlphp@1.13.1-2%2Bdeb8u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-amz8-zhqx-p3c5"},{"vulnerability":"VCID-b3fn-bnh5-qyg4"},{"vulnerability":"VCID-d1d1-jng1-4fe6"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-jv7n-m3cf-jfex"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"},{"vulnerability":"VCID-zemd-kbb3-s3cr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.13.1-2%252Bdeb8u1"},{"url":"http://public2.vulnerablecode.io/api/packages/515563?format=json","purl":"pkg:deb/debian/simplesamlphp@1.14.11-1%2Bdeb9u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.14.11-1%252Bdeb9u2"},{"url":"http://public2.vulnerablecode.io/api/packages/516464?format=json","purl":"pkg:deb/debian/simplesamlphp@1.16.3-1%2Bdeb10u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-ma9b-k5br-ffhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.16.3-1%252Bdeb10u2"}],"aliases":["CVE-2017-18122","GHSA-j4qf-3w33-8cgc"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mfwu-mfhq-fkh8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39372?format=json","vulnerability_id":"VCID-pskx-9d46-bfdt","summary":"Cross-site Scripting\nThe consentAdmin module in SimpleSAMLphp is vulnerable to a Cross-Site Scripting attack, allowing an attacker to craft links that could execute arbitrary JavaScript code on the victim's web browser.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-18121","reference_id":"","reference_type":"","scores":[{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.58091","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.58142","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-18121"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-18121.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-18121.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/02/msg00008.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2018/02/msg00008.html"},{"reference_url":"https://simplesamlphp.org/security/201709-01","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201709-01"},{"reference_url":"https://www.debian.org/security/2018/dsa-4127","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2018/dsa-4127"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889286","reference_id":"889286","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889286"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18121","reference_id":"CVE-2017-18121","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18121"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/274588?format=json","purl":"pkg:deb/debian/simplesamlphp@1.13.1-2%2Bdeb8u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-amz8-zhqx-p3c5"},{"vulnerability":"VCID-b3fn-bnh5-qyg4"},{"vulnerability":"VCID-d1d1-jng1-4fe6"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-jv7n-m3cf-jfex"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"},{"vulnerability":"VCID-zemd-kbb3-s3cr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.13.1-2%252Bdeb8u1"},{"url":"http://public2.vulnerablecode.io/api/packages/515563?format=json","purl":"pkg:deb/debian/simplesamlphp@1.14.11-1%2Bdeb9u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.14.11-1%252Bdeb9u2"},{"url":"http://public2.vulnerablecode.io/api/packages/516464?format=json","purl":"pkg:deb/debian/simplesamlphp@1.16.3-1%2Bdeb10u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-ma9b-k5br-ffhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.16.3-1%252Bdeb10u2"}],"aliases":["CVE-2017-18121","GHSA-fv7m-wc3v-wr3w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pskx-9d46-bfdt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39371?format=json","vulnerability_id":"VCID-ucwf-xdma-h7fc","summary":"Injection Vulnerability\nThe SAML2 library in `SimpleSAMLphp` has a Regular Expression Denial of Service vulnerability for fraction-of-seconds data in a timestamp.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6519","reference_id":"","reference_type":"","scores":[{"value":"0.00467","scoring_system":"epss","scoring_elements":"0.64841","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00467","scoring_system":"epss","scoring_elements":"0.64799","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6519"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2018-6519.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2018-6519.yaml"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6519","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6519"},{"reference_url":"https://simplesamlphp.org/security/201801-01","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201801-01"},{"reference_url":"https://www.debian.org/security/2018/dsa-4127","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2018/dsa-4127"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/274588?format=json","purl":"pkg:deb/debian/simplesamlphp@1.13.1-2%2Bdeb8u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-amz8-zhqx-p3c5"},{"vulnerability":"VCID-b3fn-bnh5-qyg4"},{"vulnerability":"VCID-d1d1-jng1-4fe6"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-jv7n-m3cf-jfex"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"},{"vulnerability":"VCID-zemd-kbb3-s3cr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.13.1-2%252Bdeb8u1"},{"url":"http://public2.vulnerablecode.io/api/packages/515563?format=json","purl":"pkg:deb/debian/simplesamlphp@1.14.11-1%2Bdeb9u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.14.11-1%252Bdeb9u2"},{"url":"http://public2.vulnerablecode.io/api/packages/516464?format=json","purl":"pkg:deb/debian/simplesamlphp@1.16.3-1%2Bdeb10u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-ma9b-k5br-ffhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.16.3-1%252Bdeb10u2"}],"aliases":["CVE-2018-6519","GHSA-hhm8-2j4g-mpgg"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ucwf-xdma-h7fc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38797?format=json","vulnerability_id":"VCID-va8h-3qxg-uqh2","summary":"Session fixation issue and authentication bypass\nThe `secureCompare` method in `lib/SimpleSAML/Utils/Crypto` when used with PHP, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12868","reference_id":"","reference_type":"","scores":[{"value":"0.00764","scoring_system":"epss","scoring_elements":"0.73788","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00764","scoring_system":"epss","scoring_elements":"0.73825","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12868"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12868","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12868"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12868.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12868.yaml"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85e","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85e"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/06/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2018/06/msg00017.html"},{"reference_url":"https://simplesamlphp.org/security/201705-01","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201705-01"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12868","reference_id":"CVE-2017-12868","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12868"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516464?format=json","purl":"pkg:deb/debian/simplesamlphp@1.16.3-1%2Bdeb10u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-ma9b-k5br-ffhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.16.3-1%252Bdeb10u2"}],"aliases":["CVE-2017-12868","GHSA-j96g-47x2-46hv"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-va8h-3qxg-uqh2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39459?format=json","vulnerability_id":"VCID-wbt9-snjj-uuea","summary":"Improper signature validation\nThe `XmlSecLibs` library as used in the saml2 library in SimpleSAMLphp incorrectly verifies signatures on SAML assertions, allowing a remote attacker to construct a crafted SAML assertion on behalf of an Identity Provider that would pass as cryptographically valid, thereby allowing them to impersonate a user from that Identity Provider, aka a key confusion issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-7644","reference_id":"","reference_type":"","scores":[{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.43902","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00213","scoring_system":"epss","scoring_elements":"0.43832","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-7644"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2018-7644.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2018-7644.yaml"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp"},{"reference_url":"https://simplesamlphp.org/security/201802-01","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201802-01"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-7644","reference_id":"CVE-2018-7644","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-7644"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/274588?format=json","purl":"pkg:deb/debian/simplesamlphp@1.13.1-2%2Bdeb8u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-amz8-zhqx-p3c5"},{"vulnerability":"VCID-b3fn-bnh5-qyg4"},{"vulnerability":"VCID-d1d1-jng1-4fe6"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-jv7n-m3cf-jfex"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"},{"vulnerability":"VCID-zemd-kbb3-s3cr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.13.1-2%252Bdeb8u1"},{"url":"http://public2.vulnerablecode.io/api/packages/515563?format=json","purl":"pkg:deb/debian/simplesamlphp@1.14.11-1%2Bdeb9u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.14.11-1%252Bdeb9u2"},{"url":"http://public2.vulnerablecode.io/api/packages/516464?format=json","purl":"pkg:deb/debian/simplesamlphp@1.16.3-1%2Bdeb10u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-ma9b-k5br-ffhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.16.3-1%252Bdeb10u2"}],"aliases":["CVE-2018-7644","GHSA-923w-2xv2-7pr8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wbt9-snjj-uuea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39457?format=json","vulnerability_id":"VCID-xx6m-pvgs-puga","summary":"Incorrect signature validation\nAn incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-7711","reference_id":"","reference_type":"","scores":[{"value":"0.0032","scoring_system":"epss","scoring_elements":"0.55317","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0032","scoring_system":"epss","scoring_elements":"0.55374","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-7711"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7711","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7711"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2018-7711.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2018-7711.yaml"},{"reference_url":"https://github.com/simplesamlphp/saml2/commit/4f6af7f69f29df8555a18b9bb7b646906b45924d","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/saml2/commit/4f6af7f69f29df8555a18b9bb7b646906b45924d"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/03/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2018/03/msg00017.html"},{"reference_url":"https://simplesamlphp.org/security/201803-01","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201803-01"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-7711","reference_id":"CVE-2018-7711","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-7711"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/516464?format=json","purl":"pkg:deb/debian/simplesamlphp@1.16.3-1%2Bdeb10u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-ma9b-k5br-ffhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.16.3-1%252Bdeb10u2"}],"aliases":["CVE-2018-7711","GHSA-g888-g2pp-82hf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xx6m-pvgs-puga"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38800?format=json","vulnerability_id":"VCID-yn8q-d76k-q3h2","summary":"Improper Input Validation\nThe multiauth module in `SimpleSAMLphp` allows remote attackers to bypass authentication context restrictions and use an authentication source defined in `config/authsources.php` via vectors related to improper validation of user input.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12869","reference_id":"","reference_type":"","scores":[{"value":"0.00418","scoring_system":"epss","scoring_elements":"0.62179","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00418","scoring_system":"epss","scoring_elements":"0.6213","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12869"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12869.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2017-12869.yaml"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp/blob/de98fc5bb663feea16686ae77958f759b4a7638d/docs/simplesamlphp-changelog-1.x.md?plain=1#L902C64-L902C79","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp/blob/de98fc5bb663feea16686ae77958f759b4a7638d/docs/simplesamlphp-changelog-1.x.md?plain=1#L902C64-L902C79"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12869","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12869"},{"reference_url":"https://simplesamlphp.org/security/201704-02","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201704-02"},{"reference_url":"https://www.debian.org/security/2018/dsa-4127","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2018/dsa-4127"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/274588?format=json","purl":"pkg:deb/debian/simplesamlphp@1.13.1-2%2Bdeb8u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-amz8-zhqx-p3c5"},{"vulnerability":"VCID-b3fn-bnh5-qyg4"},{"vulnerability":"VCID-d1d1-jng1-4fe6"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-jv7n-m3cf-jfex"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"},{"vulnerability":"VCID-zemd-kbb3-s3cr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.13.1-2%252Bdeb8u1"},{"url":"http://public2.vulnerablecode.io/api/packages/515563?format=json","purl":"pkg:deb/debian/simplesamlphp@1.14.11-1%2Bdeb9u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.14.11-1%252Bdeb9u2"},{"url":"http://public2.vulnerablecode.io/api/packages/516464?format=json","purl":"pkg:deb/debian/simplesamlphp@1.16.3-1%2Bdeb10u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-ma9b-k5br-ffhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.16.3-1%252Bdeb10u2"}],"aliases":["CVE-2017-12869","GHSA-qc43-78vj-vg7p"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yn8q-d76k-q3h2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39368?format=json","vulnerability_id":"VCID-ywuy-my3f-x7cd","summary":"Security Misconfigurations\nThe sqlauth module in `SimpleSAMLphp` relies on the MySQL utf8 charset, which truncates queries upon encountering four-byte characters. There might be a scenario in which this allows remote attackers to bypass intended access restrictions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6521","reference_id":"","reference_type":"","scores":[{"value":"0.00585","scoring_system":"epss","scoring_elements":"0.69468","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00585","scoring_system":"epss","scoring_elements":"0.69429","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6521"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12867"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12869"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12873"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12874"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18121"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18122"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6519"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6521"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7644"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2018-6521.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/simplesamlphp/CVE-2018-6521.yaml"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/02/msg00008.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2018/02/msg00008.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6521","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6521"},{"reference_url":"https://simplesamlphp.org/security/201801-03","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201801-03"},{"reference_url":"https://www.debian.org/security/2018/dsa-4127","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2018/dsa-4127"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/274588?format=json","purl":"pkg:deb/debian/simplesamlphp@1.13.1-2%2Bdeb8u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-amz8-zhqx-p3c5"},{"vulnerability":"VCID-b3fn-bnh5-qyg4"},{"vulnerability":"VCID-d1d1-jng1-4fe6"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-jv7n-m3cf-jfex"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"},{"vulnerability":"VCID-zemd-kbb3-s3cr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.13.1-2%252Bdeb8u1"},{"url":"http://public2.vulnerablecode.io/api/packages/515563?format=json","purl":"pkg:deb/debian/simplesamlphp@1.14.11-1%2Bdeb9u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.14.11-1%252Bdeb9u2"},{"url":"http://public2.vulnerablecode.io/api/packages/516464?format=json","purl":"pkg:deb/debian/simplesamlphp@1.16.3-1%2Bdeb10u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-ma9b-k5br-ffhd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.16.3-1%252Bdeb10u2"}],"aliases":["CVE-2018-6521","GHSA-qv5p-6wrc-79wg"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ywuy-my3f-x7cd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38481?format=json","vulnerability_id":"VCID-zemd-kbb3-s3cr","summary":"Incorrect signature verification\nAn incorrect check of return values in the signature validation utilities allows an attacker to get invalid signatures accepted as valid by forcing an error during validation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-9814","reference_id":"","reference_type":"","scores":[{"value":"0.00825","scoring_system":"epss","scoring_elements":"0.74858","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00825","scoring_system":"epss","scoring_elements":"0.74827","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-9814"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9814","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9814"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2016-9814.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/simplesamlphp/saml2/CVE-2016-9814.yaml"},{"reference_url":"https://github.com/simplesamlphp/saml2/commit/7008b0916426212c1cc2fc238b38ab9ebff0748c","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/simplesamlphp/saml2/commit/7008b0916426212c1cc2fc238b38ab9ebff0748c"},{"reference_url":"https://github.com/simplesamlphp/saml2/pull/81","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/simplesamlphp/saml2/pull/81"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2018/03/msg00001.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-9814","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-9814"},{"reference_url":"https://simplesamlphp.org/security/201612-01","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://simplesamlphp.org/security/201612-01"},{"reference_url":"http://www.securityfocus.com/bid/94730","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/94730"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/515563?format=json","purl":"pkg:deb/debian/simplesamlphp@1.14.11-1%2Bdeb9u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.14.11-1%252Bdeb9u2"}],"aliases":["CVE-2016-9814","GHSA-r8v4-7vwj-983x"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zemd-kbb3-s3cr"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/100927?format=json","vulnerability_id":"VCID-ew79-5kez-abdt","summary":"Cross-site scripting (XSS) vulnerability in logout.php in SimpleSAMLphp 1.8.1 and possibly other versions before 1.8.2 allows remote attackers to inject arbitrary web script or HTML via the link_href parameter.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-0908","reference_id":"","reference_type":"","scores":[{"value":"0.00475","scoring_system":"epss","scoring_elements":"0.65195","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00475","scoring_system":"epss","scoring_elements":"0.65238","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-0908"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0908","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0908"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/274586?format=json","purl":"pkg:deb/debian/simplesamlphp@1.9.2-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-amz8-zhqx-p3c5"},{"vulnerability":"VCID-b3fn-bnh5-qyg4"},{"vulnerability":"VCID-d1d1-jng1-4fe6"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-jv7n-m3cf-jfex"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"},{"vulnerability":"VCID-zemd-kbb3-s3cr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.9.2-1"}],"aliases":["CVE-2012-0908"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ew79-5kez-abdt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42973?format=json","vulnerability_id":"VCID-jhx8-7x7y-z7cv","summary":"Improper Handling of Exceptional Conditions\nsimplesamlphp before 1.6.3 (squeeze) and before 1.8.2 (sid) incorrectly handles XML encryption which could allow remote attackers to decrypt or forge messages.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2011-4625","reference_id":"","reference_type":"","scores":[{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50941","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.51002","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2011-4625"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4625","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4625"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp"},{"reference_url":"https://github.com/simplesamlphp/simplesamlphp/blob/b3059c51a915910c6631fb2ee597c0fb6ad9162b/docs/simplesamlphp-changelog-1.x.md?plain=1#L1624","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/simplesamlphp/simplesamlphp/blob/b3059c51a915910c6631fb2ee597c0fb6ad9162b/docs/simplesamlphp-changelog-1.x.md?plain=1#L1624"},{"reference_url":"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202330-1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202330-1"},{"reference_url":"https://www.mageni.net/vulnerability/debian-security-advisory-dsa-2330-1-simplesamlphp-70545","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mageni.net/vulnerability/debian-security-advisory-dsa-2330-1-simplesamlphp-70545"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2011-4625","reference_id":"CVE-2011-4625","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-4625"},{"reference_url":"https://security-tracker.debian.org/tracker/CVE-2011-4625","reference_id":"CVE-2011-4625","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security-tracker.debian.org/tracker/CVE-2011-4625"},{"reference_url":"https://github.com/advisories/GHSA-5fj7-f8x3-q2mc","reference_id":"GHSA-5fj7-f8x3-q2mc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5fj7-f8x3-q2mc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/274586?format=json","purl":"pkg:deb/debian/simplesamlphp@1.9.2-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-amz8-zhqx-p3c5"},{"vulnerability":"VCID-b3fn-bnh5-qyg4"},{"vulnerability":"VCID-d1d1-jng1-4fe6"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-jv7n-m3cf-jfex"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"},{"vulnerability":"VCID-zemd-kbb3-s3cr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.9.2-1"}],"aliases":["CVE-2011-4625","GHSA-5fj7-f8x3-q2mc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jhx8-7x7y-z7cv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/100926?format=json","vulnerability_id":"VCID-xhg6-p2ka-nfe9","summary":"Cross-site scripting (XSS) vulnerability in modules/core/www/no_cookie.php in SimpleSAMLphp 1.8.1 and possibly other versions before 1.8.2 allows remote attackers to inject arbitrary web script or HTML via the retryURL parameter.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-0040","reference_id":"","reference_type":"","scores":[{"value":"0.00545","scoring_system":"epss","scoring_elements":"0.6815","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00545","scoring_system":"epss","scoring_elements":"0.6819","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-0040"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0040","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0040"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/274586?format=json","purl":"pkg:deb/debian/simplesamlphp@1.9.2-1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-139j-7afy-wyf1"},{"vulnerability":"VCID-2cd3-p3xz-k3hx"},{"vulnerability":"VCID-4gux-4jrc-w7ce"},{"vulnerability":"VCID-6c55-4pyx-ckbx"},{"vulnerability":"VCID-8b8r-g7e2-qfb2"},{"vulnerability":"VCID-amz8-zhqx-p3c5"},{"vulnerability":"VCID-b3fn-bnh5-qyg4"},{"vulnerability":"VCID-d1d1-jng1-4fe6"},{"vulnerability":"VCID-dggq-bf45-aqga"},{"vulnerability":"VCID-dgs2-3xbu-c3ff"},{"vulnerability":"VCID-dvwj-zd42-nbhe"},{"vulnerability":"VCID-gwtm-bdae-3ufj"},{"vulnerability":"VCID-jv7n-m3cf-jfex"},{"vulnerability":"VCID-k5d6-k216-8ub8"},{"vulnerability":"VCID-ma9b-k5br-ffhd"},{"vulnerability":"VCID-mfwu-mfhq-fkh8"},{"vulnerability":"VCID-pskx-9d46-bfdt"},{"vulnerability":"VCID-ucwf-xdma-h7fc"},{"vulnerability":"VCID-va8h-3qxg-uqh2"},{"vulnerability":"VCID-wbt9-snjj-uuea"},{"vulnerability":"VCID-xx6m-pvgs-puga"},{"vulnerability":"VCID-yn8q-d76k-q3h2"},{"vulnerability":"VCID-ywuy-my3f-x7cd"},{"vulnerability":"VCID-zemd-kbb3-s3cr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.9.2-1"}],"aliases":["CVE-2012-0040"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xhg6-p2ka-nfe9"}],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/simplesamlphp@1.9.2-1"}