A flaw was discovered that the Ipsilon IdP server did not properly authorize a change of the provider's name. Non-administrative users could use this flaw to change the name to a duplicate value, which could possibly lead to denial-of-service attack.
Patrick Uiterwijk of Red Hat reports:
ipsilon does not properly sanitize user provided data in certain data fields.
Created ipsilon tracking bugs for this issue:
Affects: fedora-all [bug 1255176]
This issue was discovered by Patrick Uiterwijk of Red Hat.
It was found that Ipsilon does not properly authorize change of the name of the provider. Non-admin users could change the name to a duplicate value which could possibly lead to DoS attack.