CVE 2021-28963

Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters.

Related bugs and status

CVE-2021-28963 (Candidate) is related to these bugs:

Bug #1919419: Phishing vulnerability: Template generation allows external parameters to override placeholders

Summary				In	Importance	Status
	1919419	Phishing vulnerability: Template generation allows external parameters to override placeholders		shibboleth-sp (Ubuntu)	Medium	Fix Released
	1919419	Phishing vulnerability: Template generation allows external parameters to override placeholders		shibboleth-sp (Debian)	Unknown	Fix Released

See the

CVE page on Mitre.org for more details.