Matt Elder

**Name of the Vulnerable Software and Affected Versions** Shibboleth Identity Provider versions prior to 1.3.4 Shibboleth Identity Provider versions prior to 2.1.5 Shibboleth Service Provider versions prior to 1.3.5 Shibboleth Service Provider versions prior to 2.3 libshib6 (affected versions not specified) libshibsp1 (affected versions not specified) libshib-dev (affected versions not specified) libshib-target5 (affected versions not specified) libshibsp-dev (affected versions not specified) **Description** The issue involves multiple vulnerabilities in the Shibboleth software, which can lead to a compromise of protected information. These vulnerabilities can be exploited remotely. Specifically, there are multiple cross-site scripting (XSS) vulnerabilities in the Identity Provider and Service Provider components. These XSS vulnerabilities allow remote attackers to inject arbitrary web script or HTML via URLs encountered in redirections and appear in automatically generated forms. **Recommendations** For Shibboleth Identity Provider versions prior to 1.3.4, update to version 1.3.4 or later. For Shibboleth Identity Provider versions prior to 2.1.5, update to version 2.1.5 or later. For Shibboleth Service Provider versions prior to 1.3.5, update to version 1.3.5 or later. For Shibboleth Service Provider versions prior to 2.3, update to version 2.3 or later. For libshib6, libshibsp1, libshib-dev, libshib-target5, and libshibsp-dev, at the moment, there is no information about a newer version that contains a fix for this vulnerability.