Description
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal SAML SSO - Service Provider allows Cross-Site Scripting (XSS).This issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.3.
Published: 2026-03-25
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

An unescaped user input in the Drupal SAML SSO - Service Provider module allows cross‑site scripting when a web page is generated. An attacker could inject malicious scripts that run in the context of a legitimate user, enabling session hijacking, defacement, or credential theft. The vulnerability is classified as a standard cross‑site scripting flaw per CWE‑79.

Affected Systems

Systems affected are installations of the Drupal SAML SSO - Service Provider module, versions from the initial release up through 3.1.2. The module is a contributed component for the Drupal content management system. Any site using older versions without the patch is vulnerable.

Risk and Exploitability

The CVSS v3.1 score of 6.1 indicates moderate severity, and the low EPSS score (<1%) suggests exploitation is presently unlikely but still possible. It is not listed in the CISA KEV catalog. The attack vector is web‑based; an attacker needs a browser context to deliver the payload, typically by persuading a user to visit a crafted URL or interaction with a page that processes untrusted input. Because the flaw is a typical reflected or stored XSS, success requires that the vulnerable input be reflected or stored on a page served to the user. Once injected, the attacker could execute arbitrary JavaScript inside that user's browser session.

Generated by OpenCVE AI on April 1, 2026 at 05:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Drupal SAML SSO - Service Provider version 3.1.3 or later.
  • If an upgrade is not immediately possible, disable the module until the patch is applied.
  • Verify that the XSS vulnerability is mitigated by testing with known payloads on the updated module.

Generated by OpenCVE AI on April 1, 2026 at 05:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-018 cve-icon cve-icon
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Miniorange
Miniorange saml Sso - Service Provider
CPEs cpe:2.3:a:miniorange:saml_sso_-_service_provider:*:*:*:*:*:drupal:*:*
Vendors & Products Miniorange
Miniorange saml Sso - Service Provider

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal saml Sso - Service Provider
Vendors & Products Drupal
Drupal saml Sso - Service Provider

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal SAML SSO - Service Provider allows Cross-Site Scripting (XSS).This issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.3.
Title SAML SSO - Service Provider - Critical - Cross-site scripting - SA-CONTRIB-2026-018
Weaknesses CWE-79
References

Subscriptions

Drupal Saml Sso - Service Provider
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-03-25T19:59:46.310Z

Reserved: 2026-02-25T16:59:33.466Z

Link: CVE-2026-3217

cve-icon Vulnrichment

Updated: 2026-03-25T19:59:39.723Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T16:16:22.917

Modified: 2026-03-31T19:25:48.447

Link: CVE-2026-3217

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:09Z

Weaknesses