CVE-2020-5226

Name of the Vulnerable Software and Affected Versions SimpleSAMLphp versions 1.18.0 through 1.18.3

Description The issue concerns cross-site scripting in the error reporting mechanism of SimpleSAMLphp. The www/erroreport.php script allows users to submit error reports, which are then sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAMLUtilsEMail class was introduced to handle sending emails using Twig templates, which provide automatic escaping of variables. However, for those not using the new user interface, an email template is hardcoded in plain PHP without escaping, allowing HTML injection by crafting the contents of the free-text field. This could potentially trick a system administrator into performing an action, such as introducing their credentials into a phishing website. Remote execution of JavaScript code is considered unfeasible since most email clients do not run JavaScript present in emails.

Recommendations Upgrade the SimpleSAMLphp installation to version 1.18.4. As a temporary workaround, consider restricting access to the www/erroreport.php script until the issue is resolved. Avoid using the free-text field in the error reporting form until the issue is fixed.