Uninett · Simplesamlphp · CVE-2017-12868
**Name of the Vulnerable Software and Affected Versions**
SimpleSAMLphp versions 1.14.13 and earlier
**Description**
The issue concerns the secureCompare method in SimpleSAMLphp, which can be exploited to conduct session fixation attacks or possibly bypass authentication. This is due to missing character conversions before an XOR operation when used with PHP before version 5.6.
**Recommendations**
For SimpleSAMLphp versions 1.14.13 and earlier, consider updating PHP to version 5.6 or later to mitigate the risk of exploitation.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.