XML External Entity (XXE) Injection
Affecting samlify package, versions <2.3.0
Report new vulnerabilities
Do your applications use this vulnerable package?
Test your applications
Overview
samlify
is a Node.js API for Single Sign On (SAML 2.0).
Affected versions of this package are vulnerable to XML Injection attack.
An XML Signature Wrapping vulnerability exists in Samlify 2.2.0 and earlier, and in predecessor Express-saml2 which could allow attackers to impersonate arbitrary users.
Remediation
Upgrade to shiba
version 2.3.0 or higher.
References
CVSS Score
7.5
high severity
-
Attack VectorNetwork
-
Attack ComplexityHigh
-
Privileges RequiredLow
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityHigh
-
IntegrityHigh
-
AvailabilityHigh
- Credit
- Unknown
- CVE
- CVE-2017-1000452
- CWE
- CWE-91
- Snyk ID
- npm:samlify:20171002
- Disclosed
- 02 Oct, 2017
- Published
- 22 Jan, 2018