In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade simplesamlphp/simplesamlphp to version 2.4.7, 2.5.2 or higher.
simplesamlphp/simplesamlphp is a PHP implementation of a SAML 2.0 service provider and identity provider, also compatible with Shibboleth 1.3 and 2.0.
Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the processing of SAML responses when an unsigned Response/InResponseTo is combined with a signed assertion lacking SubjectConfirmationData/InResponseTo. An attacker can bypass authentication and authorization controls by submitting a valid response from a lower-trust trusted IdP to satisfy SP state intended for a different, higher-trust IdP. This is only exploitable if the deployment trusts multiple IdPs with differing assurance levels or tenant boundaries, and the application relies on the selected IdP for authorization decisions.