Vulnerabilities > Apereo > Phpcas > 0.4.20
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-11-01 | CVE-2022-39369 | Improper Validation of Specified Type of Input vulnerability in multiple products phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server. | 8.0 |
2020-01-24 | CVE-2014-4172 | Injection vulnerability in multiple products A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via the (1) service parameter to validation/AbstractUrlBasedTicketValidator.java or (2) pgtUrl parameter to validation/Cas20ServiceTicketValidator.java. | 9.8 |
2014-06-06 | CVE-2012-5583 | Cryptographic Issues vulnerability in Apereo PHPcas phpCAS before 1.3.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | 5.8 |
2010-10-07 | CVE-2010-3692 | Path Traversal vulnerability in Apereo PHPcas Directory traversal vulnerability in the callback function in client.php in phpCAS before 1.1.3, when proxy mode is enabled, allows remote attackers to create or overwrite arbitrary files via directory traversal sequences in a Proxy Granting Ticket IOU (PGTiou) parameter. | 6.4 |
2010-10-07 | CVE-2010-3691 | Link Following vulnerability in Apereo PHPcas PGTStorage/pgt-file.php in phpCAS before 1.1.3, when proxy mode is enabled, allows local users to overwrite arbitrary files via a symlink attack on an unspecified file. | 3.3 |
2010-10-07 | CVE-2010-3690 | Cross-Site Scripting vulnerability in Apereo PHPcas Multiple cross-site scripting (XSS) vulnerabilities in phpCAS before 1.1.3, when proxy mode is enabled, allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Proxy Granting Ticket IOU (PGTiou) parameter to the callback function in client.php, (2) vectors involving functions that make getCallbackURL calls, or (3) vectors involving functions that make getURL calls. | 4.3 |