cvedb.io
CVE-2017-12868
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2017-09-01T13:29:00.240 · Last modified 2026-06-17T01:04:03.403

Summary

The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation.

Affected products

simplesamlphp — simplesamlphp

Does this affect you?

Add your gear to cvedb and we'll alert you only when simplesamlphp ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.