Hej, För kännedom. /Paul. SWAMID operations. -------- Forwarded Message -------- From: "Cantor, Scott via announce" &lt;announce(a)shibboleth.net&gt; Reply-To: users(a)shibboleth.net To: announce(a)shibboleth.net &lt;announce(a)shibboleth.net&gt; Cc: "Cantor, Scott" &lt;cantor.2(a)osu.edu&gt; Subject: Shibboleth Identity Provider Security Advisory [26 August 2025] Date: 26/08/25 14:19:55 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Identity Provider Security Advisory [26 August 2025] An updated version of the Shibboleth Identity Provider is available to address a cross-site scripting vulnerability in the CAS protocol support when using certain request options that result in a particular response format. XSS vulnerability in one CAS response format ================================================================= An XSS issue was identified in the IdP's handling of CAS responses in certain situations. If exploited, exfiltration of cookies is unlikely due to the default mitigations for that, but cross-site request forgery attacks are very possible against CAS clients that are not themselves hardened against certain kinds of malicious URLs. Recommendations =============== Update to V5.1.6 (or later) of the Identity Provider software. [1] If unable to upgrade, another mitigation requires use of the CAS Service Registry to control use of CAS (rather than the SAML metadata extension specific to our software that many rely on) and the expressions used to validate CAS service URLs would need to be fairly strict and in particular avoid the use of tail-matching regular expression wildcards that would permit essentially any decoration of a URL to be accepted. The SAML metadata alternative exclusively does this sort of open- ended prefix matching and is not designed to prevent further URL content from appearing at the end of a service URL, so its use cannot mitigate against this issue. Credits ======= Discloze, Inc. <https://www.discloze.com/> Dan Malone, California Polytechnic State University [1] https://shibboleth.net/downloads/identity-provider/ URL for this Security Advisory: https://shibboleth.net/community/advisories/secadv_20250826.txt -- To unsubscribe from this list send an email to announce-unsubscribe(a)shibboleth.net När du skickar e-post till Karlstads universitet behandlar vi dina personuppgifter<https://www.kau.se/gdpr>. When you send an e-mail to Karlstad University, we will process your personal data<https://www.kau.se/en/gdpr>.