CVE-2020-5226

CVE-2020-5226 is a medium-severity vulnerability in Simplesamlphp with a CVSS 3.x base score of 4.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-79.

Key facts

Description

Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a wrapper of an external dependency. This new wrapper allows us to use Twig templates in order to create the email sent with an error report. Since Twig provides automatic escaping of variables, manual escaping of the free-text field in www/errorreport.php was removed to avoid double escaping. However, for those not using the new user interface yet, an email template is hardcoded into the class itself in plain PHP. Since no escaping is provided in this template, it is then possible to inject HTML inside the template by manually crafting the contents of the free-text field.

Frequently asked questions

What is CVE-2020-5226?
Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a wrapper of an external dependency. This new wrapper allows us to use Twig templates in order to create the email sent with an error report. Since Twig provides automatic escaping of variables, manual escaping of the free-text field in www/errorreport.php was removed to avoid double escaping. However, for those not using the new user interface yet, an email template is hardcoded into the class itself in plain PHP. Since no escaping is provided in this template, it is then possible to inject HTML inside the template by manually crafting the contents of the free-text field.
How severe is CVE-2020-5226?
CVE-2020-5226 has a CVSS 3.x base score of 4.4, rated medium severity. It is exploitable over network with high attack complexity, requires low privileges and user interaction. Impact on confidentiality is low, integrity low, and availability none.
Is CVE-2020-5226 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (42nd percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2020-5226?
CVE-2020-5226 affects Simplesamlphp. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2020-5226?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2020-5226 published?
CVE-2020-5226 was published on 2020-01-24 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Simplesamlphp

All CVEs affecting Simplesamlphp →

Other CWE-79 (Cross-site Scripting (XSS)) vulnerabilities

Browse all CWE-79 (Cross-site Scripting (XSS)) vulnerabilities →