Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-26493

Xecurify's miniOrange Premium, Standard, and Enterprise Drupal SAML SP modules possess an authentication and authorization bypass vulnerability. An attacker with access to a HTTP-request intercepting method is able to bypass authentication and authorization by removing the SAML Assertion Signature - impersonating existing users and existing roles, including administrative users/roles. This vulnerability is not mitigated by configuring the module to enforce signatures or certificate checks. Xecurify recommends updating miniOrange modules to their most recent versions. This vulnerability is present in paid versions of the miniOrange Drupal SAML SP product affecting Drupal 7, 8, and 9.

Published

2022-06-03T18:15:09.207

Last Modified

2024-11-21T06:54:03.060

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-295

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	drupal	saml_sp_2.0_single_sign_on	≤ 7.x-2.57	Yes
Application	drupal	saml_sp_2.0_single_sign_on	≤ 8.x-2.24	Yes

References

https://rafarmerjr1.github.io/2022/06/13/SAML-miniOrange.html ([email protected])
https://rafarmerjr1.github.io/2022/06/13/SAML-miniOrange.html (af854a3a-2127-422b-91ae-364da2661108)