VYPR

Vendor CVEs

Apereo

All CVEs

22 total · sorted by risk
  • CVE-2026-32985CriMar 20, 2026
    risk 0.72cvss 9.8epss 0.01

    Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads.…

  • CVE-2014-2296HigJul 20, 2018
    risk 0.57cvss 8.8epss 0.02

    XML external entity (XXE) vulnerability in java/org/jasig/cas/util/SamlUtils.java in Jasig CAS server before 3.4.12.1 and 3.5.x before 3.5.2.1, when Google Accounts Integration is enabled, allows remote unauthenticated users to bypass authentication via crafted XML data.

  • CVE-2017-1000071HigJul 17, 2017
    risk 0.53cvss 8.1epss 0.04

    Jasig phpCAS version 1.3.4 is vulnerable to an authentication bypass in the validateCAS20 function when configured to authenticate against an old CAS server.

  • CVE-2025-12266MedOct 27, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was detected in Zytec Dalian Zhuoyun Technology Central Authentication Service up to 20251009. This vulnerability affects the function _empty of the file /index.php/auth/widget. Performing manipulation of the argument get.layer/get.widget/get.action results in…

  • CVE-2017-1000221MedNov 17, 2017
    risk 0.35cvss 6.5epss 0.01

    In Opencast 2.2.3 and older if user names overlap, the Opencast search service used for publication to the media modules and players will handle the access control incorrectly so that users only need to match part of the user name used for the access restriction. For example, a…

  • CVE-2025-3986Apr 27, 2025
    risk 0.00cvss epss 0.01

    A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerability affects unknown code of the file cas-5.2.6\core\cas-server-core-configuration-metadata-repository\src\main\java\org\apereo\cas\metadata\rest\CasConfigurationMetadataServerContro…

  • CVE-2025-3985Apr 27, 2025
    risk 0.00cvss epss 0.01

    A vulnerability was found in Apereo CAS 5.2.6. It has been classified as problematic. This affects the function ResponseEntity of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\ManageRegisteredServicesMultiActionControl…

  • CVE-2025-3984Apr 27, 2025
    risk 0.00cvss epss 0.00

    A vulnerability was found in Apereo CAS 5.2.6 and classified as critical. Affected by this issue is the function saveService of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\RegisteredServiceSimpleFormController.java…

  • CVE-2024-11209Nov 14, 2024
    risk 0.00cvss epss 0.01

    A vulnerability was found in Apereo CAS 6.6. It has been classified as critical. This affects an unknown part of the file /login?service of the component 2FA. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been…

  • CVE-2024-11208Nov 14, 2024
    risk 0.00cvss epss 0.01

    A vulnerability was found in Apereo CAS 6.6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login?service. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather…

  • CVE-2024-11207Nov 14, 2024
    risk 0.00cvss epss 0.00

    A vulnerability has been found in Apereo CAS 6.6 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /login. The manipulation of the argument redirect_uri leads to open redirect. The attack can be launched remotely. The exploit…

  • CVE-2018-16153Dec 12, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in Apereo Opencast 4.x through 10.x before 10.6. It sends system digest credentials during authentication attempts to arbitrary external services in some situations.

  • CVE-2023-4612Nov 9, 2023
    risk 0.00cvss epss 0.01

    Improper Authentication vulnerability in Apereo CAS in jakarta.servlet.http.HttpServletRequest.getRemoteAddr method allows Multi-Factor Authentication bypass.This issue affects CAS: through 7.0.0-RC7. It is unknown whether in new versions the issue will be fixed. For the date…

  • CVE-2023-28857Jun 27, 2023
    risk 0.00cvss epss 0.01

    Apereo CAS is an open source multilingual single sign-on solution for the web. Apereo CAS can be configured to use authentication based on client X509 certificates. These certificates can be provided via TLS handshake or a special HTTP header, such as “ssl_client_cert”. When…

  • CVE-2022-39369Nov 1, 2022
    risk 0.00cvss epss 0.01

    phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server. The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the…

  • CVE-2015-1169Feb 10, 2015
    risk 0.00cvss epss 0.03

    Apereo Central Authentication Service (CAS) Server before 3.5.3 allows remote attackers to conduct LDAP injection attacks via a crafted username, as demonstrated by using a wildcard and a valid password to bypass LDAP authentication.

  • CVE-2012-5583Jun 6, 2014
    risk 0.00cvss epss 0.01

    phpCAS before 1.3.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

  • CVE-2010-3692Oct 7, 2010
    risk 0.00cvss epss 0.04

    Directory traversal vulnerability in the callback function in client.php in phpCAS before 1.1.3, when proxy mode is enabled, allows remote attackers to create or overwrite arbitrary files via directory traversal sequences in a Proxy Granting Ticket IOU (PGTiou) parameter.

  • CVE-2010-3691Oct 7, 2010
    risk 0.00cvss epss 0.00

    PGTStorage/pgt-file.php in phpCAS before 1.1.3, when proxy mode is enabled, allows local users to overwrite arbitrary files via a symlink attack on an unspecified file.

  • CVE-2010-3690Oct 7, 2010
    risk 0.00cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in phpCAS before 1.1.3, when proxy mode is enabled, allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Proxy Granting Ticket IOU (PGTiou) parameter to the callback function in client.php, (2)…

  • CVE-2010-2796Aug 5, 2010
    risk 0.00cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in phpCAS before 1.1.2, when proxy mode is enabled, allows remote attackers to inject arbitrary web script or HTML via a callback URL.

  • CVE-2010-2795Aug 5, 2010
    risk 0.00cvss epss 0.02

    phpCAS before 1.1.2 allows remote authenticated users to hijack sessions via a query string containing a crafted ticket value.