A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client prior to 3.3.2, .NET CAS Client prior to 1.0.2, and phpCAS prior to 1.3.3 that allow remote malicious users to inject arbitrary web script or HTML via the (1) service parameter to validation/AbstractUrlBasedTicketValidator.java or (2) pgtUrl parameter to validation/Cas20ServiceTicketValidator.java.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apereo .net cas client |
||
apereo java cas client |
||
apereo phpcas |
||
debian debian linux 7.0 |
||
fedoraproject fedora 20 |