CVE-2010-10002: 
PHP vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability has been identified in SimpleSAMLphp simplesamlphp-module-openid prior to version 1.0. The vulnerability affects the OpenID Handler component, specifically in the file templates/consumer.php, where manipulation of the AuthState argument can lead to cross-site scripting attacks. This vulnerability was disclosed on January 1, 2023, and is tracked as CVE-2010-10002 (NVD, VulDB).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and involves the improper handling of user-controllable input in the OpenID Handler component. The CVSS v3.1 base scores vary between sources, with NVD assigning a score of 6.1 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) and VulDB assigning a score of 3.1 LOW (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N) (NVD).

The vulnerability impacts the integrity of the system by allowing attackers to execute scripts on the host using OpenID. Successful exploitation requires user interaction and could lead to unauthorized script execution in the victim's browser context (VulDB).

The vulnerability has been fixed in version 1.0 of simplesamlphp-module-openid. Users are advised to upgrade to this version. Alternatively, applying the patch identified as d652d41ccaf8c45d5707e741c0c5d82a2365a9a3 can remediate the issue (GitHub Patch).