Skip to main content

Simplesamlphp

20 CVEs product

Monthly

CVE-2020-5301 PHP LOW PATCH Monitor

SimpleSAMLphp versions before 1.18.6 contain an information disclosure vulnerability. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PHP Microsoft Information Disclosure Simplesamlphp
NVD GitHub
CVSS 3.1
3.1
EPSS
0.9%
CVE-2020-5226 PHP MEDIUM PATCH This Month

Cross-site scripting in SimpleSAMLphp before version 1.18.4. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP Simplesamlphp
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2020-5225 PHP MEDIUM PATCH This Month

Log injection in SimpleSAMLphp before version 1.18.4. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP Simplesamlphp
NVD GitHub
CVSS 3.1
5.4
EPSS
0.7%
CVE-2019-3465 PHP HIGH PATCH This Week

Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Jwt Attack Information Disclosure Xmlseclibs Debian Linux Simplesamlphp
NVD GitHub
CVSS 3.1
8.8
EPSS
3.0%
CVE-2018-7711 PHP HIGH PATCH This Week

HTTPRedirect.php in the saml2 library in SimpleSAMLphp before 1.15.4 has an incorrect check of return values in the signature validation utilities, allowing an attacker to get invalid signatures. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Jwt Attack Information Disclosure PHP Simplesamlphp Saml2 +1
NVD GitHub
CVSS 3.0
8.1
EPSS
1.2%
CVE-2018-7644 PHP HIGH PATCH This Week

The XmlSecLibs library as used in the saml2 library in SimpleSAMLphp before 1.15.3 incorrectly verifies signatures on SAML assertions, allowing a remote attacker to construct a crafted SAML assertion. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Jwt Attack Simplesamlphp
NVD
CVSS 3.0
7.5
EPSS
1.3%
CVE-2018-6521 PHP CRITICAL POC PATCH Act Now

The sqlauth module in SimpleSAMLphp before 1.15.2 relies on the MySQL utf8 charset, which truncates queries upon encountering four-byte characters. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Simplesamlphp Debian Linux
NVD
CVSS 3.0
9.8
EPSS
3.1%
CVE-2018-6520 PHP MEDIUM PATCH This Month

SimpleSAMLphp before 1.15.2 allows remote attackers to bypass an open redirect protection mechanism via crafted authority data in a URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Simplesamlphp
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2017-12873 PHP CRITICAL PATCH Act Now

SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Authentication Bypass Simplesamlphp Debian Linux
NVD GitHub
CVSS 3.0
9.8
EPSS
0.7%
CVE-2017-12872 PHP MEDIUM PATCH This Month

The (1) Htpasswd authentication source in the authcrypt module and (2) SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow remote attackers to conduct timing side-channel attacks by. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Simplesamlphp Debian Linux
NVD
CVSS 3.0
5.9
EPSS
0.4%
CVE-2017-12871 PHP MEDIUM PATCH This Month

The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.x through 1.14.11 makes it easier for context-dependent attackers to bypass the encryption protection mechanism by. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Authentication Bypass PHP Simplesamlphp
NVD GitHub
CVSS 3.0
5.9
EPSS
0.1%
CVE-2017-12870 PHP MEDIUM PATCH This Month

SimpleSAMLphp 1.14.12 and earlier make it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the aesEncrypt and aesDecrypt methods in the. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Simplesamlphp
NVD
CVSS 3.0
5.9
EPSS
0.3%
CVE-2017-12869 PHP HIGH PATCH This Week

The multiauth module in SimpleSAMLphp 1.14.13 and earlier allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass PHP Simplesamlphp Debian Linux
NVD
CVSS 3.0
7.5
EPSS
0.4%
CVE-2017-12868 PHP CRITICAL PATCH Act Now

The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Authentication Bypass PHP Simplesamlphp
NVD GitHub
CVSS 3.0
9.8
EPSS
0.8%
CVE-2017-12867 PHP MEDIUM PATCH This Month

The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Simplesamlphp
NVD
CVSS 3.0
5.9
EPSS
0.2%
CVE-2016-9955 PHP MEDIUM PATCH This Month

The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required.

Denial Of Service Simplesamlphp Debian Linux
NVD
CVSS 3.0
6.3
EPSS
0.4%
CVE-2016-9814 PHP CRITICAL PATCH Act Now

The validateSignature method in the SAML2\Utils class in SimpleSAMLphp before 1.14.10 and simplesamlphp/saml2 library before 1.9.1, 1.10.x before 1.10.3, and 2.x before 2.3.3 allows remote attackers. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Simplesamlphp Saml2
NVD
CVSS 3.0
9.1
EPSS
0.8%
CVE-2016-3124 PHP MEDIUM PATCH This Month

The sanitycheck module in SimpleSAMLphp before 1.14.1 allows remote attackers to learn the PHP version on the system via unspecified vectors. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PHP Information Disclosure Simplesamlphp
NVD
CVSS 3.0
5.3
EPSS
0.2%
CVE-2012-0908 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in logout.php in SimpleSAMLphp 1.8.1 and possibly other versions before 1.8.2 allows remote attackers to inject arbitrary web script or HTML via the link_href. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

PHP XSS Simplesamlphp
NVD
CVSS 2.0
4.3
EPSS
0.5%
CVE-2012-0040 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in modules/core/www/no_cookie.php in SimpleSAMLphp 1.8.1 and possibly other versions before 1.8.2 allows remote attackers to inject arbitrary web script or. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

PHP XSS Simplesamlphp
NVD
CVSS 2.0
4.3
EPSS
0.5%
EPSS 1% CVSS 3.1
LOW PATCH Monitor

SimpleSAMLphp versions before 1.18.6 contain an information disclosure vulnerability. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PHP Microsoft Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting in SimpleSAMLphp before version 1.18.4. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS PHP Simplesamlphp
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Log injection in SimpleSAMLphp before version 1.18.4. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection PHP Simplesamlphp
NVD GitHub
EPSS 3% CVSS 8.8
HIGH PATCH This Week

Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Jwt Attack Information Disclosure Xmlseclibs +2
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

HTTPRedirect.php in the saml2 library in SimpleSAMLphp before 1.15.4 has an incorrect check of return values in the signature validation utilities, allowing an attacker to get invalid signatures. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Jwt Attack Information Disclosure PHP +3
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The XmlSecLibs library as used in the saml2 library in SimpleSAMLphp before 1.15.3 incorrectly verifies signatures on SAML assertions, allowing a remote attacker to construct a crafted SAML assertion. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Jwt Attack Simplesamlphp
NVD
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

The sqlauth module in SimpleSAMLphp before 1.15.2 relies on the MySQL utf8 charset, which truncates queries upon encountering four-byte characters. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Simplesamlphp Debian Linux
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

SimpleSAMLphp before 1.15.2 allows remote attackers to bypass an open redirect protection mechanism via crafted authority data in a URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Simplesamlphp
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Authentication Bypass Simplesamlphp +1
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

The (1) Htpasswd authentication source in the authcrypt module and (2) SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow remote attackers to conduct timing side-channel attacks by. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Simplesamlphp Debian Linux
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.x through 1.14.11 makes it easier for context-dependent attackers to bypass the encryption protection mechanism by. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Authentication Bypass PHP Simplesamlphp
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

SimpleSAMLphp 1.14.12 and earlier make it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the aesEncrypt and aesDecrypt methods in the. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Simplesamlphp
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The multiauth module in SimpleSAMLphp 1.14.13 and earlier allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass PHP Simplesamlphp +1
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Authentication Bypass PHP +1
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Simplesamlphp
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required.

Denial Of Service Simplesamlphp Debian Linux
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

The validateSignature method in the SAML2\Utils class in SimpleSAMLphp before 1.14.10 and simplesamlphp/saml2 library before 1.9.1, 1.10.x before 1.10.3, and 2.x before 2.3.3 allows remote attackers. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Simplesamlphp Saml2
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

The sanitycheck module in SimpleSAMLphp before 1.14.1 allows remote attackers to learn the PHP version on the system via unspecified vectors. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PHP Information Disclosure Simplesamlphp
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in logout.php in SimpleSAMLphp 1.8.1 and possibly other versions before 1.8.2 allows remote attackers to inject arbitrary web script or HTML via the link_href. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

PHP XSS Simplesamlphp
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in modules/core/www/no_cookie.php in SimpleSAMLphp 1.8.1 and possibly other versions before 1.8.2 allows remote attackers to inject arbitrary web script or. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

PHP XSS Simplesamlphp
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy