Filtered by vendor Apereo
Subscribe
Total
30 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2012-5583 | 1 Apereo | 1 Phpcas | 2019-12-30 | 5.8 MEDIUM | N/A |
| phpCAS before 1.3.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | |||||
| CVE-2010-3691 | 1 Apereo | 1 Phpcas | 2019-12-30 | 3.3 LOW | N/A |
| PGTStorage/pgt-file.php in phpCAS before 1.1.3, when proxy mode is enabled, allows local users to overwrite arbitrary files via a symlink attack on an unspecified file. | |||||
| CVE-2012-1105 | 3 Apereo, Debian, Fedoraproject | 3 Phpcas, Debian Linux, Fedora | 2019-12-17 | 2.1 LOW | 5.5 MEDIUM |
| An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client library archives the debug logging file in an insecure manner. | |||||
| CVE-2017-1000071 | 1 Apereo | 1 Phpcas | 2019-10-02 | 6.8 MEDIUM | 8.1 HIGH |
| Jasig phpCAS version 1.3.4 is vulnerable to an authentication bypass in the validateCAS20 function when configured to authenticate against an old CAS server. | |||||
| CVE-2017-1000221 | 1 Apereo | 1 Opencast | 2019-10-02 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Opencast 2.2.3 and older if user names overlap, the Opencast search service used for publication to the media modules and players will handle the access control incorrectly so that users only need to match part of the user name used for the access restriction. For example, a user with the role ROLE_USER will have access to recordings published only for ROLE_USER_X. | |||||
| CVE-2019-10754 | 1 Apereo | 1 Central Authentication Service | 2019-09-24 | 5.5 MEDIUM | 8.1 HIGH |
| Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. | |||||
| CVE-2018-1000836 | 1 Apereo | 1 Bw-calendar-engine | 2019-02-07 | 6.8 MEDIUM | 9.0 CRITICAL |
| bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server. | |||||
| CVE-2018-20000 | 1 Apereo | 1 Bw-webdav | 2019-01-24 | 5.0 MEDIUM | 7.5 HIGH |
| Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as demonstrated by an invite-reply document that reads a local file, related to webdav/servlet/common/MethodBase.java and webdav/servlet/common/PostRequestPars.java. | |||||
| CVE-2014-2296 | 1 Apereo | 1 Cas Server | 2018-09-19 | 6.8 MEDIUM | 8.8 HIGH |
| XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remote unauthenticated users to bypass authentication via crafted XML data. | |||||
| CVE-2015-1169 | 1 Apereo | 1 Central Authentication Service | 2015-02-11 | 7.5 HIGH | N/A |
| Apereo Central Authentication Service (CAS) Server before 3.5.3 allows remote attackers to conduct LDAP injection attacks via a crafted username, as demonstrated by using a wildcard and a valid password to bypass LDAP authentication. | |||||