CVE-2024-52806
HIGHSimpleSAMLphp saml2 < 4.6.14 and 5.0.0-alpha.1-5.0.0-alpha.18 - XML External Entity Injection
Title source: llmDescription
SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE. This vulnerability is fixed in 4.6.14 and 5.0.0-alpha.18.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2
Scores
CVSS v3
8.3
EPSS
0.0041
EPSS Percentile
32.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-611
Status
published
Products (4)
simplesamlphp/saml2
0 - 4.6.14Packagist
simplesamlphp/saml2
< 4.6.14
simplesamlphp/saml2
>= 5.0.0-alpha.1, < 5.0.0-alpha.18
simplesamlphp/saml2-legacy
0 - 4.6.14Packagist
Published
Dec 02, 2024
Tracked Since
Feb 18, 2026