26 results (0.010 seconds)

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

A vulnerability was found in simplesamlphp simplesamlphp-module-openidprovider up to 0.8.x. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file templates/trust.tpl.php. The manipulation of the argument StateID leads to cross site scripting. The attack can be launched remotely. • https://github.com/simplesamlphp/simplesamlphp-module-openidprovider/commit/8365d48c863cf06ccf1465cc0a161cefae29d69d https://github.com/simplesamlphp/simplesamlphp-module-openidprovider/releases/tag/v0.9.0 https://vuldb.com/?ctiid.218473 https://vuldb.com/?id.218473 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

A vulnerability classified as problematic has been found in SimpleSAMLphp simplesamlphp-module-openid. Affected is an unknown function of the file templates/consumer.php of the component OpenID Handler. The manipulation of the argument AuthState leads to cross site scripting. It is possible to launch the attack remotely. The complexity of an attack is rather high. • https://github.com/simplesamlphp/simplesamlphp-module-openid/commit/d652d41ccaf8c45d5707e741c0c5d82a2365a9a3 https://github.com/simplesamlphp/simplesamlphp-module-openid/releases/tag/v1.0 https://vuldb.com/?ctiid.217170 https://vuldb.com/?id.217170 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

The simpleSAMLphp Authentication WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/simplesamlphp-authentication.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.7.0. El plugin simpleSAMLphp Authentication de WordPress, es vulnerable a un ataque de tipo Cross-Site Scripting Reflejado debido a un valor $_SERVER["PHP_SELF"] reflejado en el archivo ~/simplesamlphp-authentication.php que permite a atacantes inyectar scripts web arbitrario, en versiones hasta 0.7.0 incluyéndola • https://plugins.trac.wordpress.org/browser/simplesamlphp-authentication/tags/0.7.0/simplesamlphp-authentication.php#L307 https://www.wordfence.com/vulnerability-advisories/#CVE-2021-38320 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0

SimpleSAMLphp versions before 1.18.6 contain an information disclosure vulnerability. The module controller in `SimpleSAML\Module` that processes requests for pages hosted by modules, has code to identify paths ending with `.php` and process those as PHP code. If no other suitable way of handling the given path exists it presents the file to the browser. The check to identify paths ending with `.php` does not account for uppercase letters. If someone requests a path ending with e.g. `.PHP` and the server is serving the code from a case-insensitive file system, such as on Windows, the processing of the PHP code does not occur, and the source code is instead presented to the browser. • https://github.com/simplesamlphp/simplesamlphp/commit/47968d26a2fd3ed52da70dc09210921d612ce44e https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-24m3-w8g9-jwpq • CWE-178: Improper Handling of Case Sensitivity CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a wrapper of an external dependency. This new wrapper allows us to use Twig templates in order to create the email sent with an error report. Since Twig provides automatic escaping of variables, manual escaping of the free-text field in www/errorreport.php was removed to avoid double escaping. • https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-mj9p-v2r8-wf8w https://simplesamlphp.org/security/202001-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •