216.73.217.86

CVE-2025-65954

· Published 18/05/2026 20:16 · Modified 18/05/2026 21:16

Labels: CVE-2025-65954 2026-05-18CVE-2025-65954CWE-601[email protected]

Essential information

Published
18/05/2026 20:16
Modified
18/05/2026 21:16
Author
Creator
CVSS
4.7 MEDIUM (v3.0)
CISA KEV
No
CWE
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

CVSS metrics

Description

SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. In versions below 6.3.1 and 7.0.0, the logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a "you've been logged out" page with a link to continue to that url. Impacted configs include 'enable_logout' => true, and 'skip_logout_page' -> true. This issue has been resolved in versions 6.3.1 and 7.0.0.

NVD status

Status
Awaiting Analysis — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
simpleSAMLphp / simpleSAMLphp-casserver cpe:2.3:a:simpleSAMLphp:simpleSAMLphp-casserver:<6.3.1:*:*:*:*:*:*:*
simpleSAMLphp / simpleSAMLphp-casserver cpe:2.3:a:simpleSAMLphp:simpleSAMLphp-casserver:<7.0.0:*:*:*:*:*:*:*

References