Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN236
_____________________________________________________________________

DATE                : 27/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running SAML SSO - Service Provider for
                            Drupal versions prior to 3.1.3.

=====================================================================
https://www.drupal.org/sa-contrib-2026-018
_____________________________________________________________________

SAML SSO - Service Provider - Critical - Cross-site scripting -
SA-CONTRIB-2026-018

Project:     SAML SSO - Service Provider
Date:        2026-February-25
Security risk: 
Critical 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability:     Cross-site scripting
Affected versions: <3.1.3
CVE IDs:           CVE-2026-3217

Description: 

This module enables you to perform SAML protocol-based single sign-on
(SSO) on a Drupal site.

The module doesn't sufficiently sanitize user input, leading to a
reflected Cross-site scripting (XSS) vulnerability.

Solution: 

Install the latest version:

    If you are using the "SAML SSO- Service Provider" module for
Drupal, upgrade to SAML SSO- Service Provider 3.1.3.

Reported By: 

    Drew Webber (mcdruid) of the Drupal Security Team 

Fixed By: 

    Sudhanshu Dhage (sudhanshu0542) 

Coordinated By: 

    Drew Webber (mcdruid) of the Drupal Security Team
    Juraj Nemec (poker10) of the Drupal Security Team
    Jess (xjm) of the Drupal Security Team 


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================