Description
An XML Signature Wrapping vulnerability exists in Samlify 2.2.0 and earlier, and in predecessor Express-saml2 which could allow attackers to impersonate arbitrary users.
References (2)
Core 2
Core References
Issue Tracking, Patch, Release Notes, Third Party Advisory x_refsource_misc
https://github.com/tngan/samlify/releases/tag/v2.3.0
Mitigation, Third Party Advisory x_refsource_misc
https://www.whitehats.nl/blog/xml-signature-wrapping-samlify
Scores
CVSS v3
7.5
EPSS
0.0138
EPSS Percentile
68.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-91
Status
published
Products (2)
npm/samlify
0 - 2.4.0-rc5npm
samlify_project/samlify
< 2.2.0
Published
Jan 02, 2018
Tracked Since
Feb 18, 2026