Drupal's Central Authentication System (CAS) Server contains an XML Injection vulnerability, also known as Blind XPath Injection. The flaw allows a malicious actor to inject crafted XML elements that are interpreted by the server’s XML processing engine. By manipulating the XML payload, an attacker can gain elevated privileges within the CAS system, potentially accessing or modifying data reserved for higher‑privileged users.

The vulnerability impacts Drupal Central Authentication System (CAS) Server versions prior to 2.0.3 (including 0.0.0 up to 2.0.2) and prior to 2.1.2 (including 2.1.0 and 2.1.1). Systems running any of those releases should be considered at risk.

The CVSS v3.1 score is 4.2, indicating low to moderate impact. The EPSS is below 1%, suggesting a very low probability of exploitation in current real‑world activity, and the flaw is not listed in the CISA KEV catalog. Likely the attack requires authenticated access to the CAS server’s XML endpoints, or an attacker that can inject XML payloads into the system. Without further data the exact vector is not specified, so we infer that exploitation would involve sending malicious XML to a vulnerable endpoint and that privileged escalation would result from re‑interpreting that XML as higher‑privileged requests.