The XmlSecLibs library as used in the saml2 library in SimpleSAMLphp prior to 1.15.3 incorrectly verifies signatures on SAML assertions, allowing a remote malicious user to construct a crafted SAML assertion on behalf of an Identity Provider that would pass as cryptographically valid, thereby allowing them to impersonate a user from that Identity Provider, aka a key confusion issue.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
simplesamlphp simplesamlphp |