CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-4612 – MFA bypass in Apereo CAS
https://notcve.org/view.php?id=CVE-2023-4612
Improper Authentication vulnerability in Apereo CAS in jakarta.servlet.http.HttpServletRequest.getRemoteAddr method allows Multi-Factor Authentication bypass.This issue affects CAS: through 7.0.0-RC7. It is unknown whether in new versions the issue will be fixed. For the date of publication there is no patch, and the vendor does not treat it as a vulnerability. Vulnerabilidad de autenticación incorrecta en Apereo CAS en jakarta.servlet.http.HttpServletRequest.getRemoteAddr permite omitir la autenticación multifactor. Este problema afecta a CAS: hasta 7.0.0-RC7. • https://cert.pl/en/posts/2023/11/CVE-2023-4612 https://cert.pl/posts/2023/11/CVE-2023-4612 • CWE-287: Improper Authentication CWE-302: Authentication Bypass by Assumed-Immutable Data •
CVSS: 6.1EPSS: 17%CPEs: 2EXPL: 0CVE-2021-42567
https://notcve.org/view.php?id=CVE-2021-42567
Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints. Apereo CAS versiones hasta 6.4.1, permite un ataque de tipo XSS por medio de peticiones POST enviadas a los endpoints de la API REST • https://apereo.github.io/2021/10/18/restvuln https://github.com/apereo/cas/releases • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-27178
https://notcve.org/view.php?id=CVE-2020-27178
Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication. Apereo CAS versiones 5.3.x anteriores a 5.3.16, versiones 6.x anteriores a 6.1.7.2, versiones 6.2.x anteriores a 6.2.4 y versiones 6.3.x anteriores a 6.3.0-RC4, maneja inapropiadamente las claves secretas con Google Authenticator para la autenticación multifactor • https://apereo.github.io/2020/10/14/gauthvuln •