7.5

CVE-2016-10928

OneLogin SAML SSO < 2.2.0 - Authentication Bypass

The onelogin-saml-sso plugin before 2.2.0 for WordPress has a hardcoded @@@nopass@@@ password for just-in-time provisioned users.
Mögliche Gegenmaßnahme
OneLogin SAML SSO: Update to version 2.2.0, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OneloginOnelogin Saml Sso SwPlatformwordpress Version < 2.2.0
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt OneLogin SAML SSO
Version [*, 2.2.0)
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.68% 0.739
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://github.com/onelogin/wordpress-saml/commit/fbe808e2fd8fde8cb7e6bf365c5334b5702262da
Patch
Third Party Advisory
https://wordpress.org/plugins/onelogin-saml-sso/#developers
Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/10ee015a-c60b-4236-bb7a-9d3ffd944bf9
Third Party Advisory