Debian Simplesamlphp vulnerabilities

CVE-2017-18121 [MEDIUM] CVE-2017-18121: simplesamlphp - The consentAdmin module in SimpleSAMLphp through 1.14.15 is vulnerable to a Cros... The consentAdmin module in SimpleSAMLphp through 1.14.15 is vulnerable to a Cross-Site Scripting attack, allowing an attacker to craft links that could execute arbitrary JavaScript code on the victim's web browser. Scope: local bookworm: resolved (fixed in 1.15.0-1) bullseye: resolved (fixed in 1.15.0-1) sid: resolved (fixed in 1.15.0-1)

CVE-2017-12867 [MEDIUM] CVE-2017-12867: simplesamlphp - The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier ... The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset. Scope: local bookworm: resolved (fixed in 1.14.15-1) bullseye: resolved (fixed in 1.14.15-1) sid: resolved (fixed in 1.14.15-1)

CVE-2016-9814 [CRITICAL] CVE-2016-9814: simplesamlphp - The validateSignature method in the SAML2\Utils class in SimpleSAMLphp before 1.... The validateSignature method in the SAML2\Utils class in SimpleSAMLphp before 1.14.10 and simplesamlphp/saml2 library before 1.9.1, 1.10.x before 1.10.3, and 2.x before 2.3.3 allows remote attackers to spoof SAML responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean. Scope: local bo

CVE-2016-3124 [MEDIUM] CVE-2016-3124: simplesamlphp - The sanitycheck module in SimpleSAMLphp before 1.14.1 allows remote attackers to... The sanitycheck module in SimpleSAMLphp before 1.14.1 allows remote attackers to learn the PHP version on the system via unspecified vectors. Scope: local bookworm: resolved (fixed in 1.14.1-1) bullseye: resolved (fixed in 1.14.1-1) sid: resolved (fixed in 1.14.1-1)

CVE-2016-9955 [MEDIUM] CVE-2016-9955: simplesamlphp - The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 m... The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean. Scope: local bookworm: resolved (fixed in 1.14.11-1) bullseye: resolved (fixed in 1.14.11-1)

CVE-2012-0040 [MEDIUM] CVE-2012-0040: simplesamlphp - Cross-site scripting (XSS) vulnerability in modules/core/www/no_cookie.php in Si... Cross-site scripting (XSS) vulnerability in modules/core/www/no_cookie.php in SimpleSAMLphp 1.8.1 and possibly other versions before 1.8.2 allows remote attackers to inject arbitrary web script or HTML via the retryURL parameter. Scope: local bookworm: resolved (fixed in 1.8.2-1) bullseye: resolved (fixed in 1.8.2-1) sid: resolved (fixed in 1.8.2-1)

CVE-2012-0908 [MEDIUM] CVE-2012-0908: simplesamlphp - Cross-site scripting (XSS) vulnerability in logout.php in SimpleSAMLphp 1.8.1 an... Cross-site scripting (XSS) vulnerability in logout.php in SimpleSAMLphp 1.8.1 and possibly other versions before 1.8.2 allows remote attackers to inject arbitrary web script or HTML via the link_href parameter. Scope: local bookworm: resolved (fixed in 1.8.2-1) bullseye: resolved (fixed in 1.8.2-1) sid: resolved (fixed in 1.8.2-1)

CVE-2011-4625 [HIGH] CVE-2011-4625: simplesamlphp - simplesamlphp before 1.6.3 (squeeze) and before 1.8.2 (sid) incorrectly handles ... simplesamlphp before 1.6.3 (squeeze) and before 1.8.2 (sid) incorrectly handles XML encryption which could allow remote attackers to decrypt or forge messages. Scope: local bookworm: resolved (fixed in 1.8.1-1) bullseye: resolved (fixed in 1.8.1-1) sid: resolved (fixed in 1.8.1-1)