VYPR
← All vendors
Vendor

Simplesamlphp

Sign in to watch
Products
4
CVEs
17
Across products
18
Status
Private

Products

4

Recent CVEs

17
CVESevRiskCVSSEPSSKEVPublishedDescription
CVE-2016-9814Cri0.599.10.01Feb 17, 2017The validateSignature method in the SAML2\Utils class in SimpleSAMLphp before 1.14.10 and simplesamlphp/saml2 library before 1.9.1, 1.10.x before 1.10.3, and 2.x before 2.3.3 allows remote attackers to spoof SAML responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean.
CVE-2017-12873Cri0.579.80.01Sep 1, 2017SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.
CVE-2017-12868Cri0.579.80.01Sep 1, 2017The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.
CVE-2017-12869Hig0.497.50.00Sep 1, 2017The multiauth module in SimpleSAMLphp 1.14.13 and earlier allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via vectors related to improper validation of user input.
CVE-2026-46491hig0.45May 15, 2026## Summary `simplesamlphp-module-casserver` builds file paths for the file-based CAS ticket store by directly concatenating the configured ticket directory with an attacker-controlled ticket identifier. Public CAS validation/proxy endpoints pass attacker-controlled `ticket` / `pgt` query parameters into this store. In deployments using `FileSystemTicketStore`, a remote attacker can use path traversal sequences such as `../target.serialized` to make the CAS server read and unserialize files outside the ticket directory. In the CAS 1.0 validation flow, the same attacker-selected path is also passed to `deleteTicket()` immediately after `getTicket()` returns, which can delete the target file when it is readable by the PHP process, deletable under the PHP process filesystem permissions, and unserializes to a value compatible with the `?array` return type. ### Preconditions The demonstrated issue requires: - the `casserver` module to be enabled; - the file-based ticket store to be configured (`FileSystemTicketStore`); - public CAS validation/proxy endpoints to be reachable; - the PHP process to have filesystem permissions for the target path. - for the demonstrated CAS 1.0 deletion impact, `getTicket()` must return without throwing; practically, the target file must contain serialized PHP data that unserializes to a value compatible with the `?array` return type, such as an array or null. Full CAS semantic validation is not required for deletion in CAS 1.0 because `deleteTicket($ticket)` is called immediately after `getTicket($ticket)`. The attacker does not need administrator access to SimpleSAMLphp. ## Impact Affected deployments can allow remote attackers to escape the configured CAS ticket directory through public ticket validation inputs. Confirmed impact: - read and unserialize files outside the ticket cache when the file content is valid serialized PHP data; - delete attacker-selected files outside the ticket cache through the CAS 1.0 validation flow when the target is readable by the PHP process, deletable under the PHP process filesystem permissions, and the target content unserializes to a value compatible with the `?array` return type, such as a serialized array or serialized null. Full CAS semantic validation is not required before deletion in the CAS 1.0 flow. The file deletion impact depends on filesystem permissions of the PHP process. In realistic deployments, this can destroy CAS tickets, serialized SimpleSAMLphp runtime/cache files, or other writable files whose contents can be unserialized into a value accepted by the `?array` return type. It may also delete attacker-created files outside the ticket directory if the attacker has another primitive to place such serialized content. The `unserialize()` call creates a dangerous secondary primitive if an attacker can place a serialized object file at a reachable path, although this report does not claim a complete object-injection or RCE chain.
CVE-2017-12874Hig0.427.50.00Sep 1, 2017The InfoCard module 1.0 for SimpleSAMLphp allows attackers to spoof XML messages by leveraging an incorrect check of return values in signature validation utilities.
CVE-2016-3124Med0.345.30.00Feb 7, 2017The sanitycheck module in SimpleSAMLphp before 1.14.1 allows remote attackers to learn the PHP version on the system via unspecified vectors.
CVE-2017-12872Med0.315.90.00Sep 1, 2017The (1) Htpasswd authentication source in the authcrypt module and (2) SimpleSAML_Session class in SimpleSAMLphp 1.14.11 and earlier allow remote attackers to conduct timing side-channel attacks by leveraging use of the standard comparison operator to compare secret material against user input.
CVE-2017-12870Med0.315.90.00Sep 1, 2017SimpleSAMLphp 1.14.12 and earlier make it easier for man-in-the-middle attackers to obtain sensitive information by leveraging use of the aesEncrypt and aesDecrypt methods in the SimpleSAML/Utils/Crypto class to protect session identifiers in replies to non-HTTPS service providers.
CVE-2017-12867Med0.315.90.00Aug 29, 2017The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset.
CVE-2025-659540.00May 15, 2026### Summary The logout endpoint accepts a `url` query parameter to redirect to. casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a "you've been logged out" page with a link to continue to that url. There are a number of other things broken with logout in 7 (cas v3 uses a different query parameters, etc) ### Details https://github.com/simplesamlphp/simplesamlphp-module-casserver/blob/21418f7efbea8c4f078fd4a7d1b9eacf94dd4941/src/Controller/LogoutController.php#L104 Previous module checked the url against the valid service urls. ### PoC The docker instructions from the README.md run an image with a vulnerable config. Accessing https://localhost/cas/logout?url=https://google.com will redirect to Google ### Impact Impacted configs have ```php 'enable_logout' => true, ``` and are most impacted if they also have ``` 'skip_logout_page' -> true, ```
CVE-2020-53010.000.00Apr 21, 2020SimpleSAMLphp versions before 1.18.6 contain an information disclosure vulnerability. The module controller in `SimpleSAML\Module` that processes requests for pages hosted by modules, has code to identify paths ending with `.php` and process those as PHP code. If no other suitable way of handling the given path exists it presents the file to the browser. The check to identify paths ending with `.php` does not account for uppercase letters. If someone requests a path ending with e.g. `.PHP` and the server is serving the code from a case-insensitive file system, such as on Windows, the processing of the PHP code does not occur, and the source code is instead presented to the browser. An attacker may use this issue to gain access to the source code in third-party modules that is meant to be private, or even sensitive. However, the attack surface is considered small, as the attack will only work when SimpleSAMLphp serves such content from a file system that is not case-sensitive, such as on Windows. This issue is fixed in version 1.18.6.
CVE-2020-52260.000.00Jan 24, 2020Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a wrapper of an external dependency. This new wrapper allows us to use Twig templates in order to create the email sent with an error report. Since Twig provides automatic escaping of variables, manual escaping of the free-text field in www/errorreport.php was removed to avoid double escaping. However, for those not using the new user interface yet, an email template is hardcoded into the class itself in plain PHP. Since no escaping is provided in this template, it is then possible to inject HTML inside the template by manually crafting the contents of the free-text field.
CVE-2020-52250.000.00Jan 24, 2020Log injection in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under specific circumstances, to inject new log lines by manually crafting this report ID. When configured to use the file logging handler, SimpleSAMLphp will output all its logs by appending each log line to a given file. Since the reportID parameter received in a request sent to www/errorreport.php was not properly sanitized, it was possible to inject newline characters into it, effectively allowing a malicious user to inject new log lines with arbitrary content.
CVE-2011-46250.000.00Nov 6, 2019simplesamlphp before 1.6.3 (squeeze) and before 1.8.2 (sid) incorrectly handles XML encryption which could allow remote attackers to decrypt or forge messages.
CVE-2012-09080.000.00Jan 24, 2012Cross-site scripting (XSS) vulnerability in logout.php in SimpleSAMLphp 1.8.1 and possibly other versions before 1.8.2 allows remote attackers to inject arbitrary web script or HTML via the link_href parameter.
CVE-2012-00400.000.01Jan 24, 2012Cross-site scripting (XSS) vulnerability in modules/core/www/no_cookie.php in SimpleSAMLphp 1.8.1 and possibly other versions before 1.8.2 allows remote attackers to inject arbitrary web script or HTML via the retryURL parameter.