DRUPAL-CONTRIB-2021-036

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/miniorange_saml/DRUPAL-CONTRIB-2021-036.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2021-036
Published
2021-09-22T17:12:02Z
Modified
2025-12-10T23:33:52.186704Z
Summary
[none]
Details

This module provides a solution to authenticate visitors using existing SAML providers.

Certain non-default configurations allow a malicious user to login as any chosen user.

The vulnerability is mitigated by the module's default settings which require the options "Either sign SAML assertions" and "x509 certificate".

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/miniorange_saml

Package

Name
drupal/miniorange_saml
Purl
pkg:composer/drupal/miniorange_saml

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.24.0
Database specific 
{
    "constraint": "<2.24.0"
}

Database specific

affected_versions 
"<2.24.0"
source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/miniorange_saml/DRUPAL-CONTRIB-2021-036.json"