CVE-2012-0040

Simplesamlphp < 1.8.1 - XSS

Title source: rule

Description

Cross-site scripting (XSS) vulnerability in modules/core/www/no_cookie.php in SimpleSAMLphp 1.8.1 and possibly other versions before 1.8.2 allows remote attackers to inject arbitrary web script or HTML via the retryURL parameter.

References (8)

[Third Party Advisory, VDB Entry] http://osvdb.org/78254

[Vendor Advisory] http://secunia.com/advisories/47491

[Vendor Advisory] http://secunia.com/advisories/47534

[Vendor Advisory] http://www.debian.org/security/2012/dsa-2387

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/51372

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/72313

[Issue Tracking] http://code.google.com/p/simplesamlphp/issues/detail?id=468

[Mailing List] http://www.openwall.com/lists/oss-security/2012/01/20/20

Scores

EPSS 0.0054

EPSS Percentile 67.5%

Classification

CWE

CWE-79

Status published

Affected Products (17)

simplesamlphp/simplesamlphp < 1.8.1

simplesamlphp/simplesamlphp

... and 2 more

Timeline

Published Jan 24, 2012

Tracked Since Feb 18, 2026