Clever saml2-js 2.0 and earlier may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| saml2-js(npm) | 0 | 1.12.4 | N/A |
| saml2-js(npm) | 2.0.0 | 2.0.2 | N/A |
CVSS Metrics
