Vulnerabilities > Apereo > Phpcas

DATE CVE VULNERABILITY TITLE RISK
2022-11-01 CVE-2022-39369 Improper Validation of Specified Type of Input vulnerability in multiple products
phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server.
network
low complexity
apereo fedoraproject CWE-1287
8.0
2020-01-24 CVE-2014-4172 Injection vulnerability in multiple products
A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via the (1) service parameter to validation/AbstractUrlBasedTicketValidator.java or (2) pgtUrl parameter to validation/Cas20ServiceTicketValidator.java.
network
low complexity
apereo debian fedoraproject CWE-74
critical
9.8
2019-12-05 CVE-2012-1105 Information Exposure vulnerability in multiple products
An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory.
local
low complexity
apereo fedoraproject debian CWE-200
2.1
2019-12-05 CVE-2012-1104 Improper Privilege Management vulnerability in multiple products
A Security Bypass vulnerability exists in the phpCAS 1.2.2 library from the jasig project due to the way proxying of services are managed.
network
low complexity
apereo linux debian CWE-269
5.0
2017-07-17 CVE-2017-1000071 Improper Authentication vulnerability in Apereo PHPcas 1.3.4
Jasig phpCAS version 1.3.4 is vulnerable to an authentication bypass in the validateCAS20 function when configured to authenticate against an old CAS server.
network
apereo CWE-287
6.8
2014-06-06 CVE-2012-5583 Cryptographic Issues vulnerability in Apereo PHPcas
phpCAS before 1.3.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
network
apereo CWE-310
5.8
2010-10-07 CVE-2010-3692 Path Traversal vulnerability in Apereo PHPcas
Directory traversal vulnerability in the callback function in client.php in phpCAS before 1.1.3, when proxy mode is enabled, allows remote attackers to create or overwrite arbitrary files via directory traversal sequences in a Proxy Granting Ticket IOU (PGTiou) parameter.
network
low complexity
apereo CWE-22
6.4
2010-10-07 CVE-2010-3691 Link Following vulnerability in Apereo PHPcas
PGTStorage/pgt-file.php in phpCAS before 1.1.3, when proxy mode is enabled, allows local users to overwrite arbitrary files via a symlink attack on an unspecified file.
local
apereo CWE-59
3.3
2010-10-07 CVE-2010-3690 Cross-Site Scripting vulnerability in Apereo PHPcas
Multiple cross-site scripting (XSS) vulnerabilities in phpCAS before 1.1.3, when proxy mode is enabled, allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Proxy Granting Ticket IOU (PGTiou) parameter to the callback function in client.php, (2) vectors involving functions that make getCallbackURL calls, or (3) vectors involving functions that make getURL calls.
network
apereo CWE-79
4.3