Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-2cd3-p3xz-k3hx
Vulnerability ID VCID-2cd3-p3xz-k3hx
Aliases CVE-2020-5225
GHSA-6gc6-m364-85ww
Summary Inclusion of Sensitive Information in Log Files Log injection in `SimpleSAMLphp` before version. The `www/erroreport.php` script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under specific circumstances, to inject new log lines by manually crafting this report ID. When configured to use the file logging handler, `SimpleSAMLphp` will output all its logs by appending each log line to a given file. Since the `reportID` parameter received in a request sent to `www/errorreport.php` was not properly sanitized, it was possible to inject newline characters into it, effectively allowing a malicious user to inject new log lines with arbitrary content.
Status Published
Exploitability 0.5
Weighted Severity 4.0
Risk 2.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-532 Insertion of Sensitive Information into Log File
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2020-5225
cvssv3.1 4.4 https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-6gc6-m364-85ww
generic_textual LOW https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-6gc6-m364-85ww
cvssv3.1 4.4 https://nvd.nist.gov/vuln/detail/CVE-2020-5225
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2020-5225
cvssv3.1 4.4 https://simplesamlphp.org/security/202001-02
generic_textual LOW https://simplesamlphp.org/security/202001-02
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2020-5225
https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-6gc6-m364-85ww
https://simplesamlphp.org/security/202001-02
CVE-2020-5225 https://nvd.nist.gov/vuln/detail/CVE-2020-5225
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-6gc6-m364-85ww
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-5225
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://simplesamlphp.org/security/202001-02
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.38455
EPSS Score 0.00173
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:19:44.958803+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/simplesamlphp/simplesamlphp/CVE-2020-5225.yml 38.6.0