These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2025-65954 affects SimpleSAMLphp-casserver, a CAS 1.0/2.0 compliant CAS server module for SimpleSAMLphp. In affected versions below 6.3.1 and 7.0.0, the logout endpoint accepts a url query parameter and treats it as trusted. Depending on configuration, the browser is redirected to that URL or shown a logout page with a follow-on link. The issue is fixed in versions 6.3.1 and 7.0.0.
CVE-2016-9814 is a critical authentication flaw in SimpleSAMLphp and the simplesamlphp/saml2 library. The issue is in validateSignature, where improper conversion of return values to boolean can let a remote attacker spoof SAML responses and may also trigger denial of service through memory consumption.
CVE-2016-3124 is an information-disclosure issue in SimpleSAMLphp’s sanitycheck module. According to NVD, versions through 1.14.0 are affected and the issue was fixed starting in 1.14.1. A remote attacker could learn the PHP version on the system through unspecified vectors, which primarily affects confidentiality rather than integrity or availability.