#git

### Background SimpleSAMLphp uses metadata to determine how to interact with other SAML entities. This metadata includes what’s called endpoints, which are URLs belonging to that entity where SAML messages can be sent. These URLs are used directly by SimpleSAMLphp when a message is sent, either via an HTTP redirection or by automatically posting a form to them. ### Description When sending a SAML message to another entity, SimpleSAMLphp will use the URL of the appropriate endpoint to redirect the user’s browser to it, or craft a form that will be automatically posted to it, depending on the SAML binding used. The URL that’s target of the message is fetched from the stored metadata for the given entity, and that metadata is trusted as correct. However, if that metadata has been altered by a malicious party (either an attacker or a rogue administrator) to substitute the URLs of the endpoints with javascript code, SimpleSAMLphp was blindly using them without any validation, trusting the...

### Impact Authenticated user that has access to edit Forms may inject unsafe code into Forms components. ### Patches Issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13). ### References https://docs.umbraco.com/umbraco-forms/release-notes#id-13.0.1-january-16th-2024 https://docs.umbraco.com/umbraco-forms/v/12.forms.latest/release-notes#id-12.2.2-january-16th-2024 https://docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notes https://docs.umbraco.com/umbraco-forms/developer/configuration#editing-configuration-values

Stalkerware app pcTattleWare had its websites defaced and databases leaked after researchers found several security flaws.

Mocodo Mocodo Online 4.2.6 and below does not properly sanitize the `sql_case` input field in `/web/generate.php`, allowing remote attackers to execute arbitrary SQL commands and potentially command injection, leading to remote code execution (RCE) under certain conditions.

### Background SAML messages are usually signed to prove the identity of the issuer of the message. In the case of SAML authentication responses, correctly verifying the signature is critical to trust that the assertion contained inside the response was issued by a trusted third-party and the identity of the subject has been properly verified. A SAML message can be signed both at the message level and at the assertion level (if the message is an authentication response). When the whole authentication response message is unsigned, all the assertions contained inside must be signed independently in order to verify their authenticity. Failure to properly verify the authenticity of the entire message or individual assertions leads to the ability of an attacker to impersonate any user from any Identity Provider trusted by the Service Provider. ### Description A signature validation bypass issue has been found in the `SimpleSAML_XML_Validator` class. This class performs the verification of...

### Background In order to implement support for the SAML Enhanced Client or Proxy profile, the credentials obtained for authentication were stored in the state in order to pass them to the relevant routines. This, however, led to the credentials being recorded in the user’s session, which can be stored in permanent storage such as the local file system or a remote memcache or database server. ### Description When an authentication request is received via the ECP profile, the username and password obtained this way were saved to the state array, which is used to pass relevant data to different routines that may need it. This is not a problem in itself. However, when the ECP profile is disabled in the Identity Provider, other bindings such as HTTP-POST or HTTP-Redirect will be used, and since redirections are involved, the state array is then persisted to the user’s session, effectively storing it in the session backend. The ECP profile, which uses the SOAP and PAOS bindings, does not...

### Background Several scripts part of SimpleSAMLphp display a web page with links obtained from the request parameters. This allows us to enhance usability, as the users are presented with links they can follow after completing a certain action, like logging out. ### Description The following scripts were not checking the URLs obtained via the HTTP request before displaying them as the target of links that the user may click on: - www/logout.php - modules/core/www/no_cookie.php The issue allowed attackers to display links targeting a malicious website inside a trusted site running SimpleSAMLphp, due to the lack of security checks involving the link_href and retryURL HTTP parameters, respectively. The issue was resolved by including a verification of the URLs received in the request against a white list of websites specified in the trusted.url.domains configuration option. ### Affected versions All SimpleSAMLphp versions prior to 1.14.4. ### Impact A remote attacker could craft a l...

There is a low level potential SQL injection vulnerability in the silverstripe/subsites module has been identified and fixed in version 2.1.1.

There is a vulnerability in silverstripe/taxonomy module that allows SQL injection. This affected controller (`TaxonomyDirectoryController`) is disabled by default and must be enabled by a developer for the exploit to be possible.

The [userforms module](https://github.com/silverstripe/silverstripe-userforms) allows CMS administrators to create public facing forms with file upload abilities. These files are uploaded into a predictable public path on the website, unless configured otherwise by the CMS administrator setting up the form. While the name of the uploaded file itself is not predictable, certain actions taken by CMS authors could expose it. For example, submission notification emails contain a link to the file without authorisation checks. In 3.0.0 this field is disabled by default, but re-enabled upon installation of the [secure assets module](https://github.com/silverstripe-labs/silverstripe-secureassets). When this is installed, the field can once again be used within a form, and will automatically lock this folder to a secure list of users, which can then be configured further by an administrator. Existing file upload fields will not be disabled, but will require re-enabling via config or installat...