Pedro Igor Craveiro

**Name of the Vulnerable Software and Affected Versions** PicketLink versions prior to 2.7.0 **Description** The issue allows remote attackers to log in to other users' accounts via a crafted SAML assertion because the Service Provider (SP) in PicketLink does not ensure that it is a member of an Audience element when an AudienceRestriction is specified. **Recommendations** For versions prior to 2.7.0, update to version 2.7.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PicketLink versions prior to 2.7.0 **Description** The issue in PicketLink allows remote attackers to have an unspecified impact. This is due to the Service Provider (SP) and Identity Provider (IdP) not ensuring that the Destination attribute in a Response element in a SAML assertion matches the location from which the message was received. **Recommendations** For versions prior to 2.7.0, update to version 2.7.0 or later to resolve the issue.