Admidio is an open-source user management solution. Prior to version 5.0.9, the SAML IdP implementation in Admidio's SSO module uses the AssertionConsumerServic…

A vulnerability in Admidio's open-source user management solution allows attackers to redirect SAML responses to malicious URLs. The SAML IdP implementation fails to validate AssertionConsumerServiceURL values from incoming AuthnRequest messages against registered ACS URLs in the database. Attackers with knowledge of a registered Service Provider's Entity ID can craft malicious SAML requests to redirect signed responses containing user identity data to attacker-controlled endpoints. The vulnerability affects versions prior to 5.0.9 and exposes sensitive user information including login names, emails, roles, and profile fields. The issue has been patched in version 5.0.9.