Filtered by vendor Apereo
Subscriptions
Total
36 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-11208 | 1 Apereo | 2 Cas Server, Central Authentication Service | 2024-11-19 | 3.7 Low |
| A vulnerability was found in Apereo CAS 6.6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login?service. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-11209 | 1 Apereo | 2 Cas Server, Central Authentication Service | 2024-11-19 | 6.3 Medium |
| A vulnerability was found in Apereo CAS 6.6. It has been classified as critical. This affects an unknown part of the file /login?service of the component 2FA. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-11207 | 1 Apereo | 1 Cas | 2024-11-15 | 4.3 Medium |
| A vulnerability has been found in Apereo CAS 6.6 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /login. The manipulation of the argument redirect_uri leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-4612 | 1 Apereo | 1 Central Authentication Service | 2024-10-10 | 9.8 Critical |
| Improper Authentication vulnerability in Apereo CAS in jakarta.servlet.http.HttpServletRequest.getRemoteAddr method allows Multi-Factor Authentication bypass.This issue affects CAS: through 7.0.0-RC7. It is unknown whether in new versions the issue will be fixed. For the date of publication there is no patch, and the vendor does not treat it as a vulnerability. | ||||
| CVE-2018-1000836 | 1 Apereo | 1 Bw-calendar-engine | 2024-09-16 | N/A |
| bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server. | ||||
| CVE-2017-1000221 | 1 Apereo | 1 Opencast | 2024-09-16 | N/A |
| In Opencast 2.2.3 and older if user names overlap, the Opencast search service used for publication to the media modules and players will handle the access control incorrectly so that users only need to match part of the user name used for the access restriction. For example, a user with the role ROLE_USER will have access to recordings published only for ROLE_USER_X. | ||||
| CVE-2018-20000 | 1 Apereo | 1 Bw-webdav | 2024-09-16 | N/A |
| Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java. | ||||
| CVE-2010-3691 | 1 Apereo | 1 Phpcas | 2024-08-07 | N/A |
| PGTStorage/pgt-file.php in phpCAS before 1.1.3, when proxy mode is enabled, allows local users to overwrite arbitrary files via a symlink attack on an unspecified file. | ||||
| CVE-2010-3690 | 1 Apereo | 1 Phpcas | 2024-08-07 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in phpCAS before 1.1.3, when proxy mode is enabled, allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Proxy Granting Ticket IOU (PGTiou) parameter to the callback function in client.php, (2) vectors involving functions that make getCallbackURL calls, or (3) vectors involving functions that make getURL calls. | ||||
| CVE-2010-3692 | 1 Apereo | 1 Phpcas | 2024-08-07 | N/A |
| Directory traversal vulnerability in the callback function in client.php in phpCAS before 1.1.3, when proxy mode is enabled, allows remote attackers to create or overwrite arbitrary files via directory traversal sequences in a Proxy Granting Ticket IOU (PGTiou) parameter. | ||||
| CVE-2012-5583 | 1 Apereo | 1 Phpcas | 2024-08-06 | N/A |
| phpCAS before 1.3.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | ||||
| CVE-2012-1104 | 3 Apereo, Debian, Linux | 3 Phpcas, Debian Linux, Linux Kernel | 2024-08-06 | 5.3 Medium |
| A Security Bypass vulnerability exists in the phpCAS 1.2.2 library from the jasig project due to the way proxying of services are managed. | ||||
| CVE-2012-1105 | 3 Apereo, Debian, Fedoraproject | 3 Phpcas, Debian Linux, Fedora | 2024-08-06 | 5.5 Medium |
| An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client library archives the debug logging file in an insecure manner. | ||||
| CVE-2014-4172 | 4 Apereo, Debian, Fedoraproject and 1 more | 6 .net Cas Client, Java Cas Client, Phpcas and 3 more | 2024-08-06 | 9.8 Critical |
| A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via the (1) service parameter to validation/AbstractUrlBasedTicketValidator.java or (2) pgtUrl parameter to validation/Cas20ServiceTicketValidator.java. | ||||
| CVE-2014-2296 | 1 Apereo | 1 Cas Server | 2024-08-06 | N/A |
| XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remote unauthenticated users to bypass authentication via crafted XML data. | ||||
| CVE-2015-1169 | 1 Apereo | 1 Central Authentication Service | 2024-08-06 | N/A |
| Apereo Central Authentication Service (CAS) Server before 3.5.3 allows remote attackers to conduct LDAP injection attacks via a crafted username, as demonstrated by using a wildcard and a valid password to bypass LDAP authentication. | ||||
| CVE-2017-1000071 | 1 Apereo | 1 Phpcas | 2024-08-05 | N/A |
| Jasig phpCAS version 1.3.4 is vulnerable to an authentication bypass in the validateCAS20 function when configured to authenticate against an old CAS server. | ||||
| CVE-2018-16153 | 1 Apereo | 1 Opencast | 2024-08-05 | 7.5 High |
| An issue was discovered in Apereo Opencast 4.x through 10.x before 10.6. It sends system digest credentials during authentication attempts to arbitrary external services in some situations. | ||||
| CVE-2019-10754 | 1 Apereo | 1 Central Authentication Service | 2024-08-04 | 8.1 High |
| Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. | ||||
| CVE-2020-27178 | 1 Apereo | 1 Central Authentication Service | 2024-08-04 | 7.5 High |
| Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication. | ||||