Miniorange: Security Vulnerabilities
The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable.
CVSS Score
8.1
EPSS Score
0.002
Published
2022-03-21
The miniorange_saml (aka Miniorange Saml) extension before 1.4.3 for TYPO3 allows XSS.
CVSS Score
5.4
EPSS Score
0.003
Published
2021-08-13
The miniorange_saml (aka Miniorange Saml) extension before 1.4.3 for TYPO3 allows Sensitive Data Exposure of API credentials and private keys.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-08-13
Utilities.php in the miniorange-saml-20-single-sign-on plugin before 4.8.84 for WordPress allows XSS via a crafted SAML XML Response to wp-login.php. This is related to the SAMLResponse and RelayState variables, and the Destination parameter of the samlp:Response XML element.
CVSS Score
6.1
EPSS Score
0.004
Published
2020-02-17
In the miniOrange SAML SP Single Sign On plugin before 4.8.73 for WordPress, the SAML Login Endpoint is vulnerable to XSS via a specially crafted SAMLResponse XML post.
CVSS Score
6.1
EPSS Score
0.001
Published
2019-06-24
Page 6