5.4

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-v858-922f-fj9v

EPSS Score

CWE

CWE-74

Published

5/28/2024

Updated

5/28/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-v858-922f-fj9v

GHSA-v858-922f-fj9v:
SimpleSAMLphp Link Injection vulnerability

Background

Several scripts part of SimpleSAMLphp display a web page with links obtained from the request parameters. This allows us to enhance usability, as the users are presented with links they can follow after completing a certain action, like logging out.

Description

The following scripts were not checking the URLs obtained via the HTTP request before displaying them as the target of links that the user may click on:

www/logout.php
modules/core/www/no_cookie.php The issue allowed attackers to display links targeting a malicious website inside a trusted site running SimpleSAMLphp, due to the lack of security checks involving the link_href and retryURL HTTP parameters, respectively. The issue was resolved by including a verification of the URLs received in the request against a white list of websites specified in the trusted.url.domains configuration option.

Affected versions

All SimpleSAMLphp versions prior to 1.14.4.

Impact

A remote attacker could craft a link pointing to a trusted website running SimpleSAMLphp, including a parameter pointing to a malicious website, and try to fool the victim into visiting that website by clicking on a link in the page presented by SimpleSAMLphp.

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-v858-922f-fj9v

EPSS Score

CWE

CWE-74

Published

5/28/2024

Updated

5/28/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
simplesamlphp/simplesamlphp	composer	< 1.14.4	1.14.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of user-supplied parameters ('link_href' and 'retryURL') in the scripts www/logout.php and modules/core/www/no_cookie.php. These scripts directly process HTTP request parameters and pass them to the normalization function \SimpleSAML\Utils\HTTP::normalizeURL() without validation. However, the vulnerability does not reside in a specific named function but in the procedural flow of these scripts. The lack of validation (via checkURLAllowed) in the parameter-handling logic allowed arbitrary URLs to be injected. Since the vulnerable code exists at the script level rather than within defined functions, no specific functions are identified as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### ***k*roun* S*v*r*l s*ripts p*rt o* Simpl*S*MLp*p *ispl*y * w** p*** wit* links o*t*in** *rom t** r*qu*st p*r*m*t*rs. T*is *llows us to *n**n** us**ility, *s t** us*rs *r* pr*s*nt** wit* links t**y **n *ollow **t*r *ompl*tin* * **rt*in **tion, lik

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* us*r-suppli** p*r*m*t*rs ('link_*r**' *n* 'r*tryURL') in t** s*ripts www/lo*out.p*p *n* mo*ul*s/*or*/www/no_*ooki*.p*p. T**s* s*ripts *ir**tly pro**ss *TTP r*qu*st p*r*m*t*rs *n* p*ss t**m to t** norm

5.4

Basic Information

Concerned about an active attack path?

GHSA-v858-922f-fj9v: SimpleSAMLphp Link Injection vulnerability

Background

Description

Affected versions

Impact

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-v858-922f-fj9v:
SimpleSAMLphp Link Injection vulnerability

Vulnerability Intelligence
Miggo AI