CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2018-0489
https://notcve.org/view.php?id=CVE-2018-0489
27 Feb 2018 — Shibboleth XMLTooling-C before 1.6.4, as used in Shibboleth Service Provider before 2.6.1.4 on Windows and other products, mishandles digital signatures of user data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via crafted XML data. NOTE: this issue exists because of an incomplete fix for CVE-2018-0486. Shibboleth XMLTooling-C en versiones anteriores a la 1.6.4, tal y como se emplea en Shibboleth Service Provider en versiones anteriores a la 2.6.1.4 en Wind... • http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-003.txt • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 1CVE-2018-0486 – Shibboleth 2 XML Injection
https://notcve.org/view.php?id=CVE-2018-0486
13 Jan 2018 — Shibboleth XMLTooling-C before 1.6.3, as used in Shibboleth Service Provider before 2.6.0 on Windows and other products, mishandles digital signatures of user attribute data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via a crafted DTD. Shibboleth XMLTooling-C en versiones anteriores a la 1.6.3, tal y como se emplea en Shibboleth Service Provider en versiones anteriores a la 2.6.0 en Windows y otros productos, gestiona de manera incorrecta las firmas digit... • https://packetstorm.news/files/id/145919 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2017-16852
https://notcve.org/view.php?id=CVE-2017-16852
16 Nov 2017 — shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka SSPCPP-763. shibsp/metadata/DynamicMetadataProvider.cpp en el plugin Dynamic MetadataProvider en Shibboleth Service Provider, en versiones anteriores a la 2.6.1,... • https://bugs.debian.org/881857 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2017-16853 – Debian Security Advisory 4039-1
https://notcve.org/view.php?id=CVE-2017-16853
16 Nov 2017 — The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka CPPOST-105. La clase DynamicMetadataProvider en saml/saml2/metadata/impl/DynamicMetadataProvider.cpp en OpenSAML-C en OpenSAML, en versiones anteriores a la 2.... • http://www.securityfocus.com/bid/101898 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 0CVE-2017-14313 – Shibboleth <= 1.6 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-14313
02 Mar 2016 — The shibboleth_login_form function in shibboleth.php in the Shibboleth plugin before 1.8 for WordPress is prone to an XSS vulnerability due to improper use of add_query_arg(). La función shibboleth_login_form en shibboleth.php en el plugin Shibboleth en versiones anteriores a la 1.8 para WordPress es propenso a sufrir una vulnerabilidad XSS debido a un uso incorrecto de add_query_arg(). The shibboleth_login_form function in shibboleth.php in the Shibboleth plugin before 1.7 for WordPress is prone to an XSS ... • http://www.debian.org/security/2017/dsa-3973 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2015-1796 – Java: PKIX Trust Engines Exhibit Critical Flaw In Trusted Names Evaluation
https://notcve.org/view.php?id=CVE-2015-1796
23 Jun 2015 — The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor. Los motores de confianza PKIX en Shibboleth Identity Provider anterior a 2.4.4 y OpenSAML Java (OpenSAML-J) anterior a 2.6.5 confían en los certificados X.509 de candidatos cuando nombres no co... • http://rhn.redhat.com/errata/RHSA-2015-1176.html • CWE-254: 7PK - Security Features •
CVSS: 6.5EPSS: 1%CPEs: 2EXPL: 0CVE-2015-2684 – Debian Security Advisory 3207-1
https://notcve.org/view.php?id=CVE-2015-2684
30 Mar 2015 — Shibboleth Service Provider (SP) before 2.5.4 allows remote authenticated users to cause a denial of service (crash) via a crafted SAML message. Shibboleth Service Provider (SP) anterior a 2.5.4 permite a usuarios remotos autenticados causar una denegación de servicio (caída) a través de un mensaje SAML manipulado. A denial of service vulnerability was found in the Shibboleth (an federated identity framework) Service Provider. When processing certain malformed SAML message generated by an authenticated atta... • http://www.debian.org/security/2015/dsa-3207 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 12EXPL: 0CVE-2013-6440 – Java: XML eXternal Entity (XXE) flaw in ParserPool and Decrypter
https://notcve.org/view.php?id=CVE-2013-6440
13 Feb 2014 — The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration. (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter y (4) SAML Decrypter en Shibboleth OpenSAML-Java anterior a 2.6.1 establece la propiedad expandEntityReferences como "true", lo que permite a atacan... • http://blog.sendsafely.com/post/69590974866/web-based-single-sign-on-and-the-dangers-of-saml-xml • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.8EPSS: 0%CPEs: 15EXPL: 0CVE-2011-1411
https://notcve.org/view.php?id=CVE-2011-1411
02 Sep 2011 — Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack." La librería Shibboleth OpenSAML v2.4.x antes de v2.4.3 y v2.5.x antes de v2.5.1, e IdP antes de v2.3.2, permite a atacantes remotos falsificar mensajes y eludir la autenticación a través de un ataque "XML Signature wrapping" • http://secunia.com/advisories/50994 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 7%CPEs: 16EXPL: 1CVE-2011-2516
https://notcve.org/view.php?id=CVE-2011-2516
11 Jul 2011 — Off-by-one error in the XML signature feature in Apache XML Security for C++ 1.6.0, as used in Shibboleth before 2.4.3 and possibly other products, allows remote attackers to cause a denial of service (crash) via a signature using a large RSA key, which triggers a buffer overflow. Error de superación de límite (off-by-one) en la característica de firma XML en Apache XML Security para C++ v1.6.0,usado en Shibboleth anterior a v2.4.3 y posiblemente otros productos, permite a atacantes remotos provocar una den... • http://lists.fedoraproject.org/pipermail/package-announce/2011-July/063159.html • CWE-189: Numeric Errors •