5 results (0.006 seconds)

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1

A vulnerability was found in Apereo CAS 6.6. It has been classified as critical. This affects an unknown part of the file /login?service of the component 2FA. The manipulation leads to improper authentication. • https://gist.github.com/0xArthurSouza/281e8ea8a797abc8371a8ced31dc5562 https://vuldb.com/?ctiid.284523 https://vuldb.com/?id.284523 https://vuldb.com/?submit.437238 • CWE-287: Improper Authentication •

CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 1

A vulnerability was found in Apereo CAS 6.6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login?service. The manipulation leads to session expiration. The attack may be launched remotely. • https://gist.github.com/0xArthurSouza/ce3b89887b03cc899d5e8cb6e472b04e https://ibb.co/1LxSK2k https://vuldb.com/?ctiid.284522 https://vuldb.com/?id.284522 https://vuldb.com/?submit.437211 • CWE-613: Insufficient Session Expiration •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1

A vulnerability has been found in Apereo CAS 6.6 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /login. The manipulation of the argument redirect_uri leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://gist.github.com/0xArthurSouza/68295d8fa20f18161945260fcdf842a2 https://vuldb.com/?ctiid.284521 https://vuldb.com/?id.284521 https://vuldb.com/?submit.437207 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remote unauthenticated users to bypass authentication via crafted XML data. Vulnerabilidad de XEE (XML External Entity) en java/org/jasig/cas/util/SamlUtils.java en el servidor Jasig CAS en versiones anteriores a la 3.4.12.1 y versiones 3.5.x anteriores a la 3.5.2.1, cuando Google Accounts Integration está habilitado, permite que usuarios remotos no autenticados omitan la autenticación mediante datos XML manipulados. • http://jasig.275507.n4.nabble.com/CAS-3-5-2-1-and-3-4-12-1-Security-Releases-td4662444.html https://vigilance.fr/vulnerability/Jasig-CAS-Server-bypassing-authentication-via-Google-Accounts-Integration-14512 • CWE-611: Improper Restriction of XML External Entity Reference •

CVSS: 9.8EPSS: 2%CPEs: 5EXPL: 0

A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via the (1) service parameter to validation/AbstractUrlBasedTicketValidator.java or (2) pgtUrl parameter to validation/Cas20ServiceTicketValidator.java. Se detectó una vulnerabilidad de inyección de parámetros de URL en el paso de validación de tickets del canal posterior del protocolo CAS en Jasig Java CAS Client versiones anteriores a 3.3.2, .NET CAS Client versiones anteriores a 1.0.2 y phpCAS versiones anteriores a 1.3.3, que permiten a atacantes remotos inyectar script web o HTML arbitrario por medio del (1) parámetro service en el archivo validation/AbstractUrlBasedTicketValidator.java o del (2) parámetro pgtUrl en el archivo validation/Cas20ServiceTicketValidator.java. • http://lists.fedoraproject.org/pipermail/package-announce/2014-August/137182.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759718 https://bugzilla.redhat.com/show_bug.cgi?id=1131350 https://exchange.xforce.ibmcloud.com/vulnerabilities/95673 https://github.com/Jasig/dotnet-cas-client/commit/f0e030014fb7a39e5f38469f43199dc590fd0e8d https://github.com/Jasig/java-cas-client/commit/ae37092100c8eaec610dab6d83e5e05a8ee58814 https://github.com/Jasig/phpCAS/blob/master/docs/ChangeLog https://github.com/Jasig/phpCAS&#x • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •