Name of the Vulnerable Software and Affected Versions: SimpleSAMLphp versions 1.16.x up to 1.16.2

Description: The issue arises from the storage of credentials obtained for authentication in the state array, which can be persisted to the user's session and stored in permanent storage. This occurs when the ECP profile is disabled in the Identity Provider, and other bindings such as HTTP-POST or HTTP-Redirect are used, involving redirections that store the state array in the session backend. The logic for determining when to save credentials to the state array incorrectly assumes that the SOAP binding indicates the use of the ECP profile. As a result, any Identity Provider with the ECP profile disabled but metadata for an entity that supports ECP may reject incoming ECP requests but write the credentials obtained in the request to the user's session. This can make the credentials accessible to administrators, other personnel, or malicious parties with access to the systems where sessions or their backups are stored.

Recommendations: For SimpleSAMLphp versions 1.16.x up to 1.16.2, consider disabling the storage of credentials in the state array when the ECP profile is disabled, or restrict access to the session backend to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.