Name of the Vulnerable Software and Affected Versions SimpleSAMLphp versions prior to 1.14.4

Description The issue allows attackers to display links targeting a malicious website inside a trusted site running SimpleSAMLphp, due to the lack of security checks involving the link href and retryURL HTTP parameters. This could enable a remote attacker to craft a link pointing to a trusted website, including a parameter pointing to a malicious website, and try to fool the victim into visiting that website by clicking on a link in the page presented by SimpleSAMLphp.

Recommendations For versions prior to 1.14.4, update to version 1.14.4 or later to resolve the issue. As a temporary workaround, consider configuring the trusted.url.domains option to specify a white list of trusted websites, and restrict the use of the link href and retryURL parameters to minimize the risk of exploitation.