CVE-2021-36786: 
PHP vulnerability analysis and mitigation

The miniorange_saml (aka Miniorange Saml) extension before version 1.4.3 for TYPO3 was discovered to contain a sensitive data exposure vulnerability that allowed access to API credentials and private keys (Vendor Advisory). The vulnerability was identified and disclosed in August 2021, affecting all versions of the extension up to and including version 1.4.2.

The vulnerability received a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue stems from improper protection of sensitive information, specifically API credentials and private keys, which were exposed within the extension (NVD). The vulnerability is classified under CWE-922 (Insecure Storage of Sensitive Information).

The vulnerability allows unauthorized access to sensitive API credentials and private keys. This exposure could potentially enable attackers to gain unauthorized access to systems or services that rely on these credentials, compromising the security of the TYPO3 installation (Vendor Advisory).

The vulnerability has been fixed in version 1.4.3 of the miniorange_saml extension. Users are strongly advised to update to this version as soon as possible. The updated version can be obtained through the TYPO3 extension manager, Packagist, or directly from the TYPO3 extension repository (Vendor Advisory).