CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 1CVE-2023-22947
https://notcve.org/view.php?id=CVE-2023-22947
11 Jan 2023 — Insecure folder permissions in the Windows installation path of Shibboleth Service Provider (SP) before 3.4.1 allow an unprivileged local attacker to escalate privileges to SYSTEM via DLL planting in the service executable's folder. This occurs because the installation goes under C:\opt (rather than C:\Program Files) by default. NOTE: the vendor disputes the significance of this report, stating that "We consider the ACLs a best effort thing" and "it was a documentation mistake." Los permisos de carpeta inse... • https://shibboleth.atlassian.net/browse/SSPCPP-961 • CWE-427: Uncontrolled Search Path Element •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-28963 – Ubuntu Security Notice USN-4925-1
https://notcve.org/view.php?id=CVE-2021-28963
22 Mar 2021 — Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters. Shibboleth Service Provider versiones anteriores a 3.2.1, permite una inyección de contenido porque la generación de plantillas usa parámetros controlados por atacantes Toni Huttunen and Fraktal Oy discovered that the Shibboleth Service provider allowed content injection due to allowing attacker-controlled parameters in error or other status pages. An attacker could use this to ... • https://bugs.debian.org/985405 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2010-2450
https://notcve.org/view.php?id=CVE-2010-2450
07 Nov 2019 — The keygen.sh script in Shibboleth SP 2.0 (located in /usr/local/etc/shibboleth by default) uses OpenSSL to create a DES private key which is placed in sp-key.pm. It relies on the root umask (default 22) instead of chmoding the resulting file itself, so the generated private key is world readable by default. El script keygen.sh en Shibboleth SP 2.0 (ubicado en /usr/local/etc/shibboleth por defecto) utiliza OpenSSL para crear una clave privada DES que es colocada en el archivo sp-key.pm. Se basa en la umask ... • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571631 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-916: Use of Password Hash With Insufficient Computational Effort •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2017-16852
https://notcve.org/view.php?id=CVE-2017-16852
16 Nov 2017 — shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataProvider plugin in Shibboleth Service Provider before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka SSPCPP-763. shibsp/metadata/DynamicMetadataProvider.cpp en el plugin Dynamic MetadataProvider en Shibboleth Service Provider, en versiones anteriores a la 2.6.1,... • https://bugs.debian.org/881857 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 6.5EPSS: 1%CPEs: 2EXPL: 0CVE-2015-2684 – Debian Security Advisory 3207-1
https://notcve.org/view.php?id=CVE-2015-2684
30 Mar 2015 — Shibboleth Service Provider (SP) before 2.5.4 allows remote authenticated users to cause a denial of service (crash) via a crafted SAML message. Shibboleth Service Provider (SP) anterior a 2.5.4 permite a usuarios remotos autenticados causar una denegación de servicio (caída) a través de un mensaje SAML manipulado. A denial of service vulnerability was found in the Shibboleth (an federated identity framework) Service Provider. When processing certain malformed SAML message generated by an authenticated atta... • http://www.debian.org/security/2015/dsa-3207 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 16EXPL: 0CVE-2009-3300
https://notcve.org/view.php?id=CVE-2009-3300
06 Nov 2009 — Multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider (IdP) 1.3.x before 1.3.4 and 2.x before 2.1.5, and the Service Provider 1.3.x before 1.3.5 and 2.x before 2.3, in Internet2 Middleware Initiative Shibboleth allow remote attackers to inject arbitrary web script or HTML via URLs that are encountered in redirections, and appear in automatically generated forms. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Identity Provider (IdP) v1.3.x anteriores a... • http://secunia.com/advisories/37237 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •