Matt Elder discovered that Shibboleth, a federated web single sign-on system is vulnerable to script injection through redirection URLs