FusionAuth-SAMLv2 0.2.3 Message Forging
Posted by deepcore on October 3, 2020 – 1:25 pm
Unauthenticated users can send forged messages to the FusionAuth to bypass authentication, impersonate other users or gain arbitrary roles. The SAML message can be send to the application without a signature even if this is required. The impact depends on individual applications that implement fusionauth-samlv2. Version 0.2.3 is vulnerable.
Post a reply
You must be logged in to post a comment.