cbcvebase.
CVE-2021-42567
published 2021-12-07

CVE-2021-42567: Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.

PriorityP181medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.06%
94.1th percentile
Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.

Affected

2 ranges
VendorProductVersion rangeFixed in
apereocentral_authentication_service>= 6.3.0 < 6.3.7.16.3.7.1
apereocentral_authentication_service>= 6.4.0 < 6.4.26.4.2

Detection & IOCsextracted from sources · hover to see the quote

url/cas/v1/tickets/
commandusername=%3Cimg%2Fsrc%2Fonerror%3Dalert%28document.domain%29%3E&password=test
other<img/src/onerror=alert(document.domain)>
  • Detect POST requests to /cas/v1/tickets/ containing XSS payloads in the 'username' parameter (URL-encoded angle brackets/event handlers)
  • Look for HTTP 401 responses from the CAS REST API that echo back unsanitized user-supplied input (username or ticket ID) in the response body
  • Match response body containing both the reflected XSS payload string and 'java.util.HashMap' alongside HTTP 401 status to confirm exploitation
  • Use Shodan/FOFA to identify exposed CAS instances via title fingerprinting before testing
  • Content-Type of the malicious POST request is application/x-www-form-urlencoded targeting the REST API endpoint
  • ·Vulnerable versions are Apereo CAS through 6.4.1; fixed versions are 6.3.7.4 and 6.4.4.2 — ensure version scoping is applied before triggering active probes
  • ·The XSS is POST-based (reflected), meaning standard GET-based XSS scanners will miss it; a crafted HTML form or direct POST request is required to trigger the payload

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.