{"id":"CVE-2021-28963","details":"Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters.","modified":"2026-03-15T22:40:05.923428Z","published":"2021-03-22T08:15:13.247Z","references":[{"type":"WEB","url":"https://git.shibboleth.net/view/?p=cpp-sp.git%3Ba=commit%3Bh=d1dbebfadc1bdb824fea63843c4c38fa69e54379"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4872"},{"type":"ADVISORY","url":"https://bugs.debian.org/985405"},{"type":"ADVISORY","url":"https://shibboleth.net/community/advisories/secadv_20210317.txt"},{"type":"FIX","url":"https://issues.shibboleth.net/jira/browse/SSPCPP-922"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"3.2.1"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-28963.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}