CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2017-12868
https://notcve.org/view.php?id=CVE-2017-12868
01 Sep 2017 — The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation. El método secureCompare en lib/SimpleSAML/Utils/Crypto.php en SimpleSAMLphp 1.14.13 y anteriores, al usarse con PHP en versiones anteriores a la 5.6, permite que los atacantes lleven a cabo ataques de fijación de sesión o que, ... • https://github.com/simplesamlphp/simplesamlphp/commit/4bc629658e7b7d17c9ac3fe0da7dc5df71f1b85e • CWE-384: Session Fixation •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2017-12869 – Debian Security Advisory 4127-1
https://notcve.org/view.php?id=CVE-2017-12869
01 Sep 2017 — The multiauth module in SimpleSAMLphp 1.14.13 and earlier allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via vectors related to improper validation of user input. El módulo multiauth en SimpleSAMLphp 1.14.13 y anteriores permite que atacantes remotos omitan las restricciones de contexto de autenticación y empleen un origen de autenticación definido en config/authsources.php mediante vectores relacionados en la validaci... • https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12870
https://notcve.org/view.php?id=CVE-2017-12870
01 Sep 2017 — SimpleSAMLphp 1.14.12 and earlier make it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the aesEncrypt and aesDecrypt methods in the SimpleSAML/Utils/Crypto class to protect session identifiers in replies to non-HTTPS service providers. SimpleSAMLphp 1.14.12 y anteriores hace que sea más fácil para atacantes Man-in-the-Middle (MitM) obtener información sensible mediante el aprovechamiento de los métodos aesEncrypt y aesDecrypt en la clase SimpleSAML/Utils/Crypto... • https://simplesamlphp.org/security/201704-01 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12867 – Debian Security Advisory 4127-1
https://notcve.org/view.php?id=CVE-2017-12867
29 Aug 2017 — The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset. La clase SimpleSAML_Auth_TimeLimitedToken en SimpleSAMLphp 1.14.14 y anteriores permite que atacantes con acceso a un token secreto extiendan su periodo de validez manipulando el offset de tiempo antepuesto. Several vulnerabilities have been discovered in SimpleSAMLphp, a framework for authentication, primarily... • https://lists.debian.org/debian-lts-announce/2017/12/msg00007.html • CWE-613: Insufficient Session Expiration •
CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2016-9955
https://notcve.org/view.php?id=CVE-2016-9955
16 Feb 2017 — The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean. El constructor de clase SimpleSAML_XML_Validator en SimpleSAMLphp en versiones anteriores a 1.14.11 podría permitir a atacantes remotos suplantar firmas en respuestas SAML 1 o posiblemente provocar una denegación de servicio (consumo de memor... • http://www.securityfocus.com/bid/94946 • CWE-20: Improper Input Validation •
CVSS: 9.1EPSS: 0%CPEs: 13EXPL: 0CVE-2016-9814
https://notcve.org/view.php?id=CVE-2016-9814
16 Feb 2017 — The validateSignature method in the SAML2\Utils class in SimpleSAMLphp before 1.14.10 and simplesamlphp/saml2 library before 1.9.1, 1.10.x before 1.10.3, and 2.x before 2.3.3 allows remote attackers to spoof SAML responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean. El método validateSignature en la clase SAML2\Utils en SimpleSAMLphp en versiones anteriores a 1.14.10 y la librería simplesamlphp/saml2 en versiones anteriores a 1.9.... • http://www.securityfocus.com/bid/94730 • CWE-399: Resource Management Errors •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-3124
https://notcve.org/view.php?id=CVE-2016-3124
07 Feb 2017 — The sanitycheck module in SimpleSAMLphp before 1.14.1 allows remote attackers to learn the PHP version on the system via unspecified vectors. El módulo sanitycheck en SimpleSAMLphp en versiones anteriores a 1.14.1 permite a atacantes remotos aprender la versión de PHP en el sistema a través de vectores no especificados. • http://www.securityfocus.com/bid/96134 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 16EXPL: 0CVE-2012-0040
https://notcve.org/view.php?id=CVE-2012-0040
24 Jan 2012 — Cross-site scripting (XSS) vulnerability in modules/core/www/no_cookie.php in SimpleSAMLphp 1.8.1 and possibly other versions before 1.8.2 allows remote attackers to inject arbitrary web script or HTML via the retryURL parameter. Vulnerbilidad de ejecución de secuencias de comandos web en sitios cruzados (XSS) en modules/core/www/no_cookie.php en SimpleSAMLphp v1.8.1 y posiblemente en otras versiones anteriores a v1.8.2 permite a atacantes remotos inyectar código HTML o script web a través del parámetro 're... • http://code.google.com/p/simplesamlphp/issues/detail?id=468 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 16EXPL: 0CVE-2012-0908
https://notcve.org/view.php?id=CVE-2012-0908
24 Jan 2012 — Cross-site scripting (XSS) vulnerability in logout.php in SimpleSAMLphp 1.8.1 and possibly other versions before 1.8.2 allows remote attackers to inject arbitrary web script or HTML via the link_href parameter. Vulnerbilidad de ejecución de secuencias de comandos web en sitios cruzados (XSS) en logout.php en SimpleSAMLphp v1.8.1 y posiblemente otras versiones anterior a v1.8.2 permite a atacantes remotos inyectar código HTML o script web a través del parámetro 'link_href parameter'. • http://code.google.com/p/simplesamlphp/issues/detail?id=468 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •