Adnovum · Nevisauth · CVE-2015-5372
**Name of the Vulnerable Software and Affected Versions**
AdNovum nevisAuth versions 4.13.0.0 through 4.18.3.0
**Description**
The issue concerns the SAML 2.0 implementation when using SAML POST-Binding. It does not properly match all attributes of the X.509 certificate embedded in the assertion against the certificate from the identity provider (IdP). This allows remote attackers to inject arbitrary SAML assertions via a crafted certificate.
**Recommendations**
For AdNovum nevisAuth versions 4.13.0.0 through 4.18.3.0, update to version 4.18.3.1 or later to resolve the issue.