Vulnerabilities > Apereo

DATE CVE VULNERABILITY TITLE RISK
2019-12-05 CVE-2012-1105 Information Exposure vulnerability in multiple products
An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory.
local
low complexity
apereo fedoraproject debian CWE-200
2.1
2019-12-05 CVE-2012-1104 Improper Privilege Management vulnerability in multiple products
A Security Bypass vulnerability exists in the phpCAS 1.2.2 library from the jasig project due to the way proxying of services are managed.
network
low complexity
apereo linux debian CWE-269
5.0
2019-09-23 CVE-2019-10754 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apereo Central Authentication Service
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
network
low complexity
apereo CWE-338
5.5
2018-12-20 CVE-2018-1000836 XXE vulnerability in Apereo Bw-Calendar-Engine
bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning.
network
apereo CWE-611
6.8
2018-12-10 CVE-2018-20000 XXE vulnerability in Apereo Bw-Webdav
Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java.
network
low complexity
apereo CWE-611
5.0
2018-07-20 CVE-2014-2296 XXE vulnerability in Apereo CAS Server
XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remote unauthenticated users to bypass authentication via crafted XML data.
network
apereo CWE-611
6.8
2017-11-17 CVE-2017-1000221 Incorrect Permission Assignment for Critical Resource vulnerability in Apereo Opencast
In Opencast 2.2.3 and older if user names overlap, the Opencast search service used for publication to the media modules and players will handle the access control incorrectly so that users only need to match part of the user name used for the access restriction.
network
low complexity
apereo CWE-732
4.0
2017-07-17 CVE-2017-1000071 Improper Authentication vulnerability in Apereo PHPcas 1.3.4
Jasig phpCAS version 1.3.4 is vulnerable to an authentication bypass in the validateCAS20 function when configured to authenticate against an old CAS server.
network
apereo CWE-287
6.8
2015-02-10 CVE-2015-1169 Injection vulnerability in Apereo Central Authentication Service
Apereo Central Authentication Service (CAS) Server before 3.5.3 allows remote attackers to conduct LDAP injection attacks via a crafted username, as demonstrated by using a wildcard and a valid password to bypass LDAP authentication.
network
low complexity
apereo CWE-74
7.5
2014-06-06 CVE-2012-5583 Cryptographic Issues vulnerability in Apereo PHPcas
phpCAS before 1.3.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
network
apereo CWE-310
5.8