Name of the Vulnerable Software and Affected Versions SimpleSAMLphp versions prior to 1.17.3

Description The issue arises from SimpleSAMLphp's trust in metadata when sending SAML messages to other entities. If a malicious party alters the metadata to include JavaScript code in endpoint URLs, SimpleSAMLphp will use these URLs without validation, potentially leading to a reflected XSS attack. This could result in the execution of JavaScript code in the end user's browser if a strict Content Security Policy is not in place. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations For SimpleSAMLphp versions prior to 1.17.3, update to version 1.17.3 or later to resolve the issue. As a temporary workaround, consider implementing a strict Content Security Policy to forbid inline JavaScript. Restrict access to metadata management to minimize the risk of exploitation. Avoid consuming metadata automatically from untrusted sources.