Description
A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via the (1) service parameter to validation/AbstractUrlBasedTicketValidator.java or (2) pgtUrl parameter to validation/Cas20ServiceTicketValidator.java.
Published: 2020-01-24
Score: 9.8 Critical
EPSS: 6.7% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-3017-1 php-cas security update
EUVD EUVD EUVD-2022-3362 A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via the (1) service parameter to validation/AbstractUrlBasedTicketValidator.java or (2) pgtUrl parameter to validation/Cas20ServiceTicketValidator.java.
Github GHSA Github GHSA GHSA-9fc5-q25c-r2wr Jasig Java CAS Client, .NET CAS Client, and phpCAS contain URL parameter injection vulnerability
History

No history.

Subscriptions

Apereo .net Cas Client Java Cas Client Phpcas
Debian Debian Linux
Fedoraproject Fedora
Redhat Jboss Enterprise Portal Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-06T11:04:28.882Z

Reserved: 2014-06-17T00:00:00.000Z

Link: CVE-2014-4172

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-01-24T19:15:12.010

Modified: 2024-11-21T02:09:38.420

Link: CVE-2014-4172

cve-icon Redhat

Severity : Important

Publid Date: 2014-08-11T00:00:00Z

Links: CVE-2014-4172 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses