{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/signature-bypass/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["admidio"],"_cs_severities":["medium"],"_cs_tags":["saml","signature-bypass","authentication","authorization","web-application"],"_cs_type":"advisory","_cs_vendors":["admidio"],"content_html":"\u003cp\u003eAdmidio, a free web-based content management system for organizations and groups, contains a critical vulnerability in its SAML Single Sign-On (SSO) implementation. The \u003ccode\u003evalidateSignature()\u003c/code\u003e method within the SAMLService class returns error strings upon signature validation failure, rather than throwing exceptions. The calling functions, \u003ccode\u003ehandleSSORequest()\u003c/code\u003e and \u003ccode\u003ehandleSLORequest()\u003c/code\u003e, incorrectly assume that the method throws an exception, and therefore, do not check the return value. This oversight renders the \u003ccode\u003esmc_require_auth_signed\u003c/code\u003e configuration option ineffective, allowing attackers to forge SAML AuthnRequests and LogoutRequests. An attacker can exploit this vulnerability to obtain sensitive user information or cause denial of service by terminating user sessions. This affects Admidio versions 5.0.8 and earlier and requires SAML SSO to be enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious SAML AuthnRequest or LogoutRequest without a valid signature, impersonating a legitimate Service Provider (SP).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the forged SAML request to the Admidio instance via HTTP GET or POST to \u003ccode\u003emodules/sso/index.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ereceiveMessage()\u003c/code\u003e function parses the SAML binding directly from the HTTP request, requiring no prior authentication.\u003c/li\u003e\n\u003cli\u003eThe Entity ID is extracted from the forged request\u0026rsquo;s Issuer element, and the corresponding client configuration is loaded.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003evalidateSignature()\u003c/code\u003e function is called, but its return value (indicating signature validity) is discarded.\u003c/li\u003e\n\u003cli\u003eFor AuthnRequests, if the targeted user has an active session (\u003ccode\u003e$gValidLogin\u003c/code\u003e is true), the login form is skipped.\u003c/li\u003e\n\u003cli\u003eAdmidio builds a SAML Response containing the user\u0026rsquo;s attributes (login, name, email, roles) and sends it to the attacker-controlled \u003ccode\u003eAssertionConsumerServiceURL\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFor LogoutRequests, the user\u0026rsquo;s session is immediately terminated in the database, triggering a cascading single logout across all registered SPs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to several critical impacts. The primary impact is the complete bypass of signature enforcement, negating the security benefits of the \u003ccode\u003esmc_require_auth_signed\u003c/code\u003e setting. This can lead to the disclosure of sensitive user attributes, including login name, email, and role memberships, to unauthorized parties by forging SSO requests and redirecting them to attacker-controlled endpoints. Furthermore, attackers can terminate any user\u0026rsquo;s Admidio session by forging SLO requests, potentially causing a denial-of-service condition. This vulnerability affects all Admidio instances with SAML SSO enabled and can potentially impact all users of the system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix in the Admidio codebase to check the return value of \u003ccode\u003evalidateSignature()\u003c/code\u003e and throw an exception on failure, as outlined in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-25cw-98hg-g3cg)\"\u003ehttps://github.com/advisories/GHSA-25cw-98hg-g3cg)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Admidio Forged SAML AuthnRequest Detection\u0026rdquo; to detect potentially malicious SAML AuthnRequests lacking a valid signature via webserver logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Admidio Forged SAML LogoutRequest Detection\u0026rdquo; to detect potentially malicious SAML LogoutRequests lacking a valid signature via webserver logs.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for requests to \u003ccode\u003e/adm_program/modules/sso/index.php/saml/sso\u003c/code\u003e and \u003ccode\u003e/adm_program/modules/sso/index.php/saml/slo\u003c/code\u003e without proper signature validation to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of Admidio to address CVE-2026-41669.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T21:56:13Z","date_published":"2026-04-29T21:56:13Z","id":"/briefs/2026-04-admidio-saml-bypass/","summary":"Admidio's SAML Identity Provider implementation fails to properly validate signatures on SAML AuthnRequests and LogoutRequests, enabling attackers to bypass signature enforcement, potentially disclose user attributes via forged SSO requests, and terminate user sessions via forged SLO requests.","title":"Admidio SAML Signature Validation Bypass Allows Forged AuthnRequests and LogoutRequests","url":"https://feed.craftedsignal.io/briefs/2026-04-admidio-saml-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Stripe Webhook"],"_cs_severities":["critical"],"_cs_tags":["stripe","webhook","signature-bypass","quota-fraud"],"_cs_type":"advisory","_cs_vendors":["Stripe"],"content_html":"\u003cp\u003eA critical vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. Disclosed on 2025-04-15 and patched the same day in v0.12.10, the vulnerability stems from three compounding flaws: the Stripe webhook endpoint does not reject requests when \u003ccode\u003eStripeWebhookSecret\u003c/code\u003e is empty (the default), any attacker can compute valid webhook signatures when the HMAC secret is empty, and the \u003ccode\u003eRecharge\u003c/code\u003e function does not validate that the order\u0026rsquo;s \u003ccode\u003ePaymentMethod\u003c/code\u003e matches the callback source. This enables cross-gateway exploitation where orders created via any payment method can be fulfilled through a forged Stripe webhook. This vulnerability allows for financial fraud through unlimited API quota acquisition without payment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker registers a user account on the target platform.\u003c/li\u003e\n\u003cli\u003eAttacker calls \u003ccode\u003ePOST /api/user/pay\u003c/code\u003e to create an Epay top-up order, setting the \u003ccode\u003eamount\u003c/code\u003e. The order is stored with a \u003ccode\u003epending\u003c/code\u003e status.\u003c/li\u003e\n\u003cli\u003eAttacker queries \u003ccode\u003eGET /api/user/topup/self\u003c/code\u003e to retrieve the \u003ccode\u003etrade_no\u003c/code\u003e of the pending order.\u003c/li\u003e\n\u003cli\u003eAttacker computes an \u003ccode\u003eHMAC-SHA256\u003c/code\u003e signature with an empty key over a crafted \u003ccode\u003echeckout.session.completed\u003c/code\u003e payload. This payload contains the stolen \u003ccode\u003etrade_no\u003c/code\u003e as the \u003ccode\u003eclient_reference_id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/api/stripe/webhook\u003c/code\u003e with the forged payload and a crafted \u003ccode\u003eStripe-Signature\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe server verifies the signature, which passes because the \u003ccode\u003eStripeWebhookSecret\u003c/code\u003e is empty.\u003c/li\u003e\n\u003cli\u003eThe server calls the \u003ccode\u003eRecharge()\u003c/code\u003e function, which finds the Epay order by \u003ccode\u003etrade_no\u003c/code\u003e, marks the order as \u003ccode\u003esuccess\u003c/code\u003e, and credits the attacker\u0026rsquo;s account with the full quota.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 2-6 indefinitely to accumulate unlimited credits, leading to financial fraud.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows attackers to obtain unlimited API quota without payment, leading to financial fraud. The operator of the vulnerable system faces financial losses due to fraudulent quota consumption against upstream AI providers such as OpenAI, Anthropic, and Google. The fraudulent top-ups can appear as normal transactions in system logs, making detection challenging. Due to the default insecure configuration, virtually all deployments with any payment method enabled are vulnerable, creating a wide exposure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eSet \u003ccode\u003eStripeWebhookSecret\u003c/code\u003e to a non-empty value to prevent empty-key HMAC forgery, mitigating the primary attack vector (Flaw 1).\u003c/li\u003e\n\u003cli\u003eApply a reverse proxy (Nginx, Caddy, etc.) to deny access to \u003ccode\u003e/api/stripe/webhook\u003c/code\u003e if Stripe is not configured, as a temporary workaround.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Forged Stripe Webhook Request\u003c/code\u003e to identify potential exploitation attempts by monitoring requests to the webhook endpoint with empty secrets or invalid signatures.\u003c/li\u003e\n\u003cli\u003eUpgrade to v0.12.10 immediately, as it addresses all three flaws completely.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T15:43:25Z","date_published":"2026-04-24T15:43:25Z","id":"/briefs/2026-04-stripe-webhook-bypass/","summary":"A vulnerability in the Stripe webhook handler allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without payment, stemming from an empty StripeWebhookSecret and lack of PaymentMethod validation, enabling cross-gateway exploitation.","title":"Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud","url":"https://feed.craftedsignal.io/briefs/2026-04-stripe-webhook-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-40372"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["aspnet","privilege-escalation","cve-2026-40372","signature-bypass"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-40372 describes a critical vulnerability affecting ASP.NET Core applications. This flaw arises from the improper verification of cryptographic signatures, creating an avenue for unauthorized attackers to elevate their privileges within a network. Successful exploitation of this vulnerability could grant attackers significant control over affected systems. According to the NVD, the CVE was published on April 21, 2026. Given the severity of privilege escalation and the potential for widespread impact on ASP.NET Core deployments, this vulnerability poses a significant risk and demands immediate attention from security teams. The vulnerability is referenced by Microsoft in their advisory related to CVE-2026-40372.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an ASP.NET Core application vulnerable to CVE-2026-40372.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request containing a tampered cryptographic signature.\u003c/li\u003e\n\u003cli\u003eThe vulnerable ASP.NET Core application fails to properly verify the cryptographic signature due to the flaw described in CVE-2026-40372.\u003c/li\u003e\n\u003cli\u003eThe application processes the malicious request as if it were legitimate, bypassing authentication or authorization checks.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the bypassed checks to gain access to sensitive functions or data.\u003c/li\u003e\n\u003cli\u003eAttacker escalates privileges within the ASP.NET Core application context.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to perform unauthorized actions, such as modifying data, executing code, or accessing restricted resources.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full control of the compromised ASP.NET Core application and potentially the underlying server, depending on application permissions and configuration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40372 can lead to complete compromise of affected ASP.NET Core applications. An attacker gaining elevated privileges can modify sensitive data, execute arbitrary code, or disrupt services. Given the widespread use of ASP.NET Core in web applications across various sectors, the potential impact is substantial. The vulnerability\u0026rsquo;s critical severity (CVSS 9.1) highlights the high risk it poses to organizations relying on ASP.NET Core.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to address CVE-2026-40372 as detailed in the Microsoft advisory [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40372].\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious ASP.NET Core Request\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eReview ASP.NET Core application configurations to minimize the potential impact of privilege escalation.\u003c/li\u003e\n\u003cli\u003eEnable web server logging to capture detailed information about incoming requests, aiding in the detection and investigation of exploitation attempts (webserver category).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-aspnet-privesc/","summary":"CVE-2026-40372 is a critical vulnerability in ASP.NET Core stemming from improper cryptographic signature verification, potentially enabling unauthorized attackers to achieve network-based privilege escalation.","title":"ASP.NET Core Improper Signature Verification Vulnerability (CVE-2026-40372)","url":"https://feed.craftedsignal.io/briefs/2026-04-aspnet-privesc/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["jsrsasign","vulnerability","signature-bypass"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eJsrsasign is a free open source cryptography library for JavaScript. Versions before 11.1.1 contain an incorrect conversion between numeric types due to improper handling of negative exponents in the \u003ccode\u003eext/jsbn2.js\u003c/code\u003e file. This vulnerability, identified as CVE-2026-4602, allows an attacker to force the computation of incorrect modular inverses, leading to the potential breakage of signature verification. The vulnerability was reported and patched in March 2026. This could allow an attacker to…\u003c/p\u003e\n","date_modified":"2026-03-23T06:16:22Z","date_published":"2026-03-23T06:16:22Z","id":"/briefs/2026-03-jsrsasign-vuln/","summary":"Jsrsasign versions before 11.1.1 are vulnerable to an incorrect conversion between numeric types vulnerability, where an attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative exponent.","title":"Jsrsasign \u003c 11.1.1 Incorrect Conversion Vulnerability (CVE-2026-4602)","url":"https://feed.craftedsignal.io/briefs/2026-03-jsrsasign-vuln/"}],"language":"en","title":"CraftedSignal Threat Feed — Signature-Bypass","version":"https://jsonfeed.org/version/1.1"}