CVE-2021-42567
published 2021-12-07CVE-2021-42567: Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.
PriorityP181medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.06%
94.1th percentile
Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apereo | central_authentication_service | >= 6.3.0 < 6.3.7.1 | 6.3.7.1 |
| apereo | central_authentication_service | >= 6.4.0 < 6.4.2 | 6.4.2 |
Detection & IOCsextracted from sources · hover to see the quote
url/cas/v1/tickets/
commandusername=%3Cimg%2Fsrc%2Fonerror%3Dalert%28document.domain%29%3E&password=test
other<img/src/onerror=alert(document.domain)>
- →Detect POST requests to /cas/v1/tickets/ containing XSS payloads in the 'username' parameter (URL-encoded angle brackets/event handlers) ↗
- →Look for HTTP 401 responses from the CAS REST API that echo back unsanitized user-supplied input (username or ticket ID) in the response body ↗
- →Match response body containing both the reflected XSS payload string and 'java.util.HashMap' alongside HTTP 401 status to confirm exploitation
- →Use Shodan/FOFA to identify exposed CAS instances via title fingerprinting before testing
- →Content-Type of the malicious POST request is application/x-www-form-urlencoded targeting the REST API endpoint
- ·Vulnerable versions are Apereo CAS through 6.4.1; fixed versions are 6.3.7.4 and 6.4.4.2 — ensure version scoping is applied before triggering active probes ↗
- ·The XSS is POST-based (reflected), meaning standard GET-based XSS scanners will miss it; a crafted HTML form or direct POST request is required to trigger the payload ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Cross-site Scripting in Apereo CAS
ghsa·2021-12-10
CVE-2021-42567 [MEDIUM] CWE-79 Cross-site Scripting in Apereo CAS
Cross-site Scripting in Apereo CAS
Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.
OSV
Cross-site Scripting in Apereo CAS
osv·2021-12-10
CVE-2021-42567 [MEDIUM] Cross-site Scripting in Apereo CAS
Cross-site Scripting in Apereo CAS
Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.
VulnCheck
apereo central_authentication_service Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2021·CVSS 6.1
CVE-2021-42567 [MEDIUM] apereo central_authentication_service Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
apereo central_authentication_service Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.
Affected: apereo central_authentication_service
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2021-42567; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-23&host_type=src&vulnerability=cve-2021-42567; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-24&hos
No detection rules found.
Nuclei
Apereo CAS Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2021-42567 [MEDIUM] Apereo CAS Cross-Site Scripting
Apereo CAS Cross-Site Scripting
Apereo CAS through 6.4.1 allows cross-site scripting via POST requests sent to the REST API endpoints.
Template:
id: CVE-2021-42567
info:
name: Apereo CAS Cross-Site Scripting
author: pdteam
severity: medium
description: Apereo CAS through 6.4.1 allows cross-site scripting via POST requests sent to the REST API endpoints.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of a victim's browser, potentially leading to session hijacking, data theft, or defacement.
remediation: |
Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability.
reference:
- https://apereo.github.io/2021/10/18/restvuln/
- https://www.sudokaikan.com/2021/12/exploit-cve-2
Greynoiseio
NoiseLetter September 2025
blogs_greynoiseio
NoiseLetter September 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
HackerOne
CVE-2021-42567 - Apereo CAS Reflected XSS on https://█████████
hackerone·2022-03-18·CVSS 6.1
CVE-2021-42567 [MEDIUM] CVE-2021-42567 - Apereo CAS Reflected XSS on https://█████████
CVE-2021-42567 - Apereo CAS Reflected XSS on https://█████████
Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints. CAS is vulnerable to a Reflected Cross-Site Scripting attack, via POST requests sent to the REST API endpoints. The payload could be injected on URLs: /███████/. Malicious scripts can be submitted to CAS via parameters such as the ticket id or the username. That results in CAS rejecting the request and producing a response in which the value of the vulnerable parameter is echoed back, resulting in its execution.
VULNERABLE SITE: https://██████████
VULNERABLE ENDPOINT: https://███████/█████████/
PROOF OF CONCEPT:
* It seems easy as you just need to drop the XSS payload inside the parameter "username" or at the end of the endpoint's path (in
2021-12-07
Published
Exploited in the wild