SB2020013117 - Multiple vulnerabilities in SimpleSAMLphp

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Output Neutralization for Logs (CVE-ID: CVE-2020-5225)

The vulnerability allows a remote attacker to inject new log lines with arbitrary content.

The vulnerability exists due to the "www/erroreport.php" script, which receives error reports and sends them via email to the system administrator, does not properly sanitize the report identifier obtained from the request. A remote attacker can manually craft this report ID and inject logs messages into a SimpleSAMLphp log file, trying to trick or confuse system administrators.

2) Cross-site scripting (CVE-ID: CVE-2020-5226)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "www/erroreport.php" script. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

• https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-6gc6-m364-85ww
• https://simplesamlphp.org/security/202001-02
• https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-mj9p-v2r8-wf8w
• https://simplesamlphp.org/security/202001-01