Description
LightSAML version prior to 1.3.5 contains a Incorrect Access Control vulnerability in signature validation in readers in src/LightSaml/Model/XmlDSig/ that can result in impersonation of any user from Identity Provider. This vulnerability appears to have been fixed in 1.3.5 and later.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/lightSAML/lightSAML/commit/47cef07bb09779df15620799f3763d1b8d32307a
Third Party Advisory x_refsource_misc
https://github.com/lightSAML/lightSAML/releases/tag/1.3.5
Scores
CVSS v3
7.5
EPSS
0.0020
EPSS Percentile
41.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-732
Status
published
Products (2)
lightsaml/lightsaml
< 1.3.5
lightsaml/lightsaml
0 - 1.3.5Packagist
Published
Apr 18, 2018
Tracked Since
Feb 18, 2026