CVE-2022-26493 is a vulnerability in Drupal Saml Sp 2 0 Single Sign On
Published on June 3, 2022
miniOrange SAML Authentication Bypass
Xecurify's miniOrange Premium, Standard, and Enterprise Drupal SAML SP modules possess an authentication and authorization bypass vulnerability. An attacker with access to a HTTP-request intercepting method is able to bypass authentication and authorization by removing the SAML Assertion Signature - impersonating existing users and existing roles, including administrative users/roles. This vulnerability is not mitigated by configuring the module to enforce signatures or certificate checks. Xecurify recommends updating miniOrange modules to their most recent versions. This vulnerability is present in paid versions of the miniOrange Drupal SAML SP product affecting Drupal 7, 8, and 9.
Vulnerability Analysis
CVE-2022-26493 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Products Associated with CVE-2022-26493
Want to know whenever a new CVE is published for Drupal Saml Sp 2 0 Single Sign On? stack.watch will email you.
Affected Versions
Xecuify Drupal 8 miniOrange SAML SP:- Version miniOrange Premium and below 30.5 is affected.
- Version miniOrange Standard and below 20.3 is affected.
- Version miniOrange Enterprise and below 40.4 is affected.
- Version miniOrange Premium and below 30.5 is affected.
- Version miniOrange Standard and below 20.3 is affected.
- Version miniOrange Enterprise and below 40.4 is affected.
- Version miniOrange Premium and below 30.2 is affected.
- Version miniOrange Standard and below 20.2 is affected.
- Version miniOrange Enterprise and below 40.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.