It was discovered that Lasso did not properly verify that all assertions in a SAML response were properly signed. An attacker could possibly use this to impersonate users or otherwise bypass access controls.
Continue reading...
Continue reading...