Full title: Shibboleth 2 XML Injection Vulnerability 
Category: web applications
Platform: multiple
RedTeam Pentesting discovered that the shibd service of Shibboleth 2 does not extract SAML attribute values in a robust manner. By inserting XML entities into a SAML response, attackers may truncate attribute values without breaking the document's signature. This might lead to a complete bypass of authorisation mechanisms. Versions prior to 2.6.1 are affected.

# 0day.today @ http://0day.today/