SCA: security update for simplesamlphp/simplesamlphp (GHSA-mj9p-v2r8-wf8w)

medium Tenable Cloud Security Plugin ID 422165

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error
reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new
SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a wrapper of an
external dependency. This new wrapper allows us to use Twig templates in order to create the email sent
with an error report. Since Twig provides automatic escaping of variables, manual escaping of the free-
text field in www/errorreport.php was removed to avoid double escaping. However, for those not using the
new user interface yet, an email template is hardcoded into the class itself in plain PHP. Since no
escaping is provided in this template, it is then possible to inject HTML inside the template by manually
crafting the contents of the free-text field. (CVE-2020-5226)

See Also

https://github.com/advisories/GHSA-mj9p-v2r8-wf8w

Plugin Details

Severity: Medium

ID: 422165

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 3/28/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 8.67

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2020-5226

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/24/2020

Vulnerability Publication Date: 1/24/2020

Reference Information

CVE: CVE-2020-5226

cwe: CWE-79