CVE-2010-3690

https://notcve.org/view.php?id=CVE-2010-3690

Multiple cross-site scripting (XSS) vulnerabilities in phpCAS before 1.1.3, when proxy mode is enabled, allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Proxy Granting Ticket IOU (PGTiou) parameter to the callback function in client.php, (2) vectors involving functions that make getCallbackURL calls, or (3) vectors involving functions that make getURL calls. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en phpCAS anterior a v1.1.3, cuando el modo proxy está habilitado, permite a atacantes remotos inyectar secuencias de comandos web o HTML (1) a través del parámetro modificado Proxy Granting Ticket IOU (PGTiou) para la función callback en client.php y vectores que implican funciones que realizan llamadas getCallbackURL, o (3) vectores que implican funciones que realizan llamadas getURL • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495542#82 http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050415.html http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050428.html http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049600.html http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049602.html http://secunia.com/advisories/41878 http://secunia.com/advisories/42149 http://secunia.com/advisories/42184 http:/ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •