Vulnerabilities (CVE)

Filtered by vendor Apereo Subscribe
Total 35 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-16153 1 Apereo 1 Opencast 2024-11-21 N/A 7.5 HIGH
An issue was discovered in Apereo Opencast 4.x through 10.x before 10.6. It sends system digest credentials during authentication attempts to arbitrary external services in some situations.
CVE-2018-1000836 1 Apereo 1 Bw-calendar-engine 2024-11-21 6.8 MEDIUM 9.0 CRITICAL
bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server.
CVE-2017-1000221 1 Apereo 1 Opencast 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
In Opencast 2.2.3 and older if user names overlap, the Opencast search service used for publication to the media modules and players will handle the access control incorrectly so that users only need to match part of the user name used for the access restriction. For example, a user with the role ROLE_USER will have access to recordings published only for ROLE_USER_X.
CVE-2017-1000071 1 Apereo 1 Phpcas 2024-11-21 6.8 MEDIUM 8.1 HIGH
Jasig phpCAS version 1.3.4 is vulnerable to an authentication bypass in the validateCAS20 function when configured to authenticate against an old CAS server.
CVE-2015-1169 1 Apereo 1 Central Authentication Service 2024-11-21 7.5 HIGH N/A
Apereo Central Authentication Service (CAS) Server before 3.5.3 allows remote attackers to conduct LDAP injection attacks via a crafted username, as demonstrated by using a wildcard and a valid password to bypass LDAP authentication.
CVE-2014-4172 3 Apereo, Debian, Fedoraproject 5 .net Cas Client, Java Cas Client, Phpcas and 2 more 2024-11-21 7.5 HIGH 9.8 CRITICAL
A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via the (1) service parameter to validation/AbstractUrlBasedTicketValidator.java or (2) pgtUrl parameter to validation/Cas20ServiceTicketValidator.java.
CVE-2014-2296 1 Apereo 1 Cas Server 2024-11-21 6.8 MEDIUM 8.8 HIGH
XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remote unauthenticated users to bypass authentication via crafted XML data.
CVE-2012-5583 1 Apereo 1 Phpcas 2024-11-21 5.8 MEDIUM N/A
phpCAS before 1.3.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVE-2012-1105 3 Apereo, Debian, Fedoraproject 3 Phpcas, Debian Linux, Fedora 2024-11-21 2.1 LOW 5.5 MEDIUM
An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client library archives the debug logging file in an insecure manner.
CVE-2012-1104 3 Apereo, Debian, Linux 3 Phpcas, Debian Linux, Linux Kernel 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
A Security Bypass vulnerability exists in the phpCAS 1.2.2 library from the jasig project due to the way proxying of services are managed.
CVE-2010-3692 1 Apereo 1 Phpcas 2024-11-21 6.4 MEDIUM N/A
Directory traversal vulnerability in the callback function in client.php in phpCAS before 1.1.3, when proxy mode is enabled, allows remote attackers to create or overwrite arbitrary files via directory traversal sequences in a Proxy Granting Ticket IOU (PGTiou) parameter.
CVE-2010-3691 1 Apereo 1 Phpcas 2024-11-21 3.3 LOW N/A
PGTStorage/pgt-file.php in phpCAS before 1.1.3, when proxy mode is enabled, allows local users to overwrite arbitrary files via a symlink attack on an unspecified file.
CVE-2010-3690 1 Apereo 1 Phpcas 2024-11-21 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in phpCAS before 1.1.3, when proxy mode is enabled, allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Proxy Granting Ticket IOU (PGTiou) parameter to the callback function in client.php, (2) vectors involving functions that make getCallbackURL calls, or (3) vectors involving functions that make getURL calls.
CVE-2024-11208 1 Apereo 1 Central Authentication Service 2024-11-19 2.6 LOW 8.1 HIGH
A vulnerability was found in Apereo CAS 6.6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login?service. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-11209 1 Apereo 1 Central Authentication Service 2024-11-19 6.5 MEDIUM 9.8 CRITICAL
A vulnerability was found in Apereo CAS 6.6. It has been classified as critical. This affects an unknown part of the file /login?service of the component 2FA. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.