{"id":"CVE-2020-15216","details":"In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision f6188febf0c29d7ffe26a0436212b19cb9615e64 or version 1.1.0","aliases":["GHSA-q547-gmf8-8jr7","GO-2020-0050"],"modified":"2026-03-15T14:38:00.717890Z","published":"2020-09-29T16:15:11.023Z","related":["GHSA-q547-gmf8-8jr7"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUH33FPUXED3FHYL25BJOQPRKFGPOMS2/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZECBFD4M4PHBMBOCMSQ537NOU37QOVWP/"},{"type":"ADVISORY","url":"https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7"},{"type":"ADVISORY","url":"https://pkg.go.dev/github.com/russellhaering/goxmldsig?tab=overview"},{"type":"FIX","url":"https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/russellhaering/goxmldsig","events":[{"introduced":"0"},{"fixed":"6f318b2f18251aa66983056c1db7e4eef312103c"},{"fixed":"f6188febf0c29d7ffe26a0436212b19cb9615e64"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.1.0"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15216.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"32"}]},{"events":[{"introduced":"0"},{"last_affected":"33"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}