Vulnerabilities > Apereo
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-01-30 | CVE-2020-5228 | Missing Authorization vulnerability in Apereo Opencast Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. | 7.5 |
| 2020-01-24 | CVE-2014-4172 | Injection vulnerability in multiple products A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via the (1) service parameter to validation/AbstractUrlBasedTicketValidator.java or (2) pgtUrl parameter to validation/Cas20ServiceTicketValidator.java. | 9.8 |
| 2019-12-05 | CVE-2012-1105 | Information Exposure vulnerability in multiple products An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. | 5.5 |
| 2019-12-05 | CVE-2012-1104 | Improper Privilege Management vulnerability in multiple products A Security Bypass vulnerability exists in the phpCAS 1.2.2 library from the jasig project due to the way proxying of services are managed. | 5.3 |
| 2019-09-23 | CVE-2019-10754 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apereo Central Authentication Service Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. | 8.1 |
| 2018-12-20 | CVE-2018-1000836 | XXE vulnerability in Apereo Bw-Calendar-Engine 3.12.0 bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. | 9.0 |
| 2018-12-10 | CVE-2018-20000 | XXE vulnerability in Apereo Bw-Webdav Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java. | 7.5 |
| 2018-07-20 | CVE-2014-2296 | XXE vulnerability in Apereo CAS Server XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remote unauthenticated users to bypass authentication via crafted XML data. | 8.8 |
| 2017-11-17 | CVE-2017-1000221 | Incorrect Permission Assignment for Critical Resource vulnerability in Apereo Opencast In Opencast 2.2.3 and older if user names overlap, the Opencast search service used for publication to the media modules and players will handle the access control incorrectly so that users only need to match part of the user name used for the access restriction. | 6.5 |
| 2017-07-17 | CVE-2017-1000071 | Improper Authentication vulnerability in Apereo PHPcas 1.3.4 Jasig phpCAS version 1.3.4 is vulnerable to an authentication bypass in the validateCAS20 function when configured to authenticate against an old CAS server. | 8.1 |