CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 1CVE-2014-3603
https://notcve.org/view.php?id=CVE-2014-3603
04 Apr 2019 — The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Las implementaciones de (1) HttpResource y (2) FileBackedHttpResource en el Proveedor de Identidad (IdP) de Shibboleth, en ver... • http://secunia.com/advisories/60816 • CWE-297: Improper Validation of Certificate with Host Mismatch •
CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2015-1796 – Java: PKIX Trust Engines Exhibit Critical Flaw In Trusted Names Evaluation
https://notcve.org/view.php?id=CVE-2015-1796
23 Jun 2015 — The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor. Los motores de confianza PKIX en Shibboleth Identity Provider anterior a 2.4.4 y OpenSAML Java (OpenSAML-J) anterior a 2.6.5 confían en los certificados X.509 de candidatos cuando nombres no co... • http://rhn.redhat.com/errata/RHSA-2015-1176.html • CWE-254: 7PK - Security Features •
CVSS: 6.1EPSS: 0%CPEs: 16EXPL: 0CVE-2009-3300
https://notcve.org/view.php?id=CVE-2009-3300
06 Nov 2009 — Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2 Middleware Initiative Shibboleth allow remote attackers to inject arbitrary web script or HTML via URLs that are encountered in redirections, and appear in automatically generated forms. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Identity Provider (IdP) v1.3.x anteriores a... • http://secunia.com/advisories/37237 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •