cbcvebase.

Apereo Central Authentication Service vulnerabilities

12 known vulnerabilities affecting apereo/central_authentication_service.

Total CVEs
12
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL2HIGH7MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2021-42567P1MEDIUMCVSS 6.1ExploitedPoC≥ 6.3.0, < 6.3.7.1≥ 6.4.0, < 6.4.22021-12-07
CVE-2021-42567 [MEDIUM] CWE-79 CVE-2021-42567: Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints. Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.
nvd
CVE-2024-11209P2CRITICALCVSS 9.8v6.6.02024-11-14
CVE-2024-11209 [CRITICAL] CWE-287 CVE-2024-11209: A vulnerability was found in Apereo CAS 6.6. It has been classified as critical. This affects an unk A vulnerability was found in Apereo CAS 6.6. It has been classified as critical. This affects an unknown part of the file /login?service of the component 2FA. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted earl
nvd
CVE-2023-4612P2CRITICALCVSS 9.8fixed in 7.0.0v7.0.02023-11-09
CVE-2023-4612 [CRITICAL] CWE-302 CVE-2023-4612: Improper Authentication vulnerability in Apereo CAS in jakarta.servlet.http.HttpServletRequest.getRe Improper Authentication vulnerability in Apereo CAS in jakarta.servlet.http.HttpServletRequest.getRemoteAddr method allows Multi-Factor Authentication bypass.This issue affects CAS: through 7.0.0-RC7. It is unknown whether in new versions the issue will be fixed. For the date of publication there is no patch, and the vendor does not treat it as a vu
nvd
CVE-2025-3984P3HIGHCVSS 7.5v5.2.62025-04-27
CVE-2025-3984 [HIGH] CWE-74 CVE-2025-3984: A vulnerability was found in Apereo CAS 5.2.6 and classified as critical. Affected by this issue is A vulnerability was found in Apereo CAS 5.2.6 and classified as critical. Affected by this issue is the function saveService of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\RegisteredServiceSimpleFormController.java of the component Groovy Code Handler. The manipulation leads to code injection
nvd
CVE-2024-11208P3HIGHCVSS 8.1v6.6.02024-11-14
CVE-2024-11208 [HIGH] CWE-613 CVE-2024-11208: A vulnerability was found in Apereo CAS 6.6 and classified as problematic. Affected by this issue is A vulnerability was found in Apereo CAS 6.6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login?service. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclo
nvd
CVE-2015-1169P3HIGHCVSS 7.5≤ 3.5.22015-02-10
CVE-2015-1169 [HIGH] CWE-74 CVE-2015-1169: Apereo Central Authentication Service (CAS) Server before 3.5.3 allows remote attackers to conduct L Apereo Central Authentication Service (CAS) Server before 3.5.3 allows remote attackers to conduct LDAP injection attacks via a crafted username, as demonstrated by using a wildcard and a valid password to bypass LDAP authentication.
nvd
CVE-2023-28857P3HIGHCVSS 7.5≥ 6.5.0, < 6.5.9.1≥ 6.6.0, < 6.6.62023-06-27
CVE-2023-28857 [HIGH] CWE-200 CVE-2023-28857: Apereo CAS is an open source multilingual single sign-on solution for the web. Apereo CAS can be con Apereo CAS is an open source multilingual single sign-on solution for the web. Apereo CAS can be configured to use authentication based on client X509 certificates. These certificates can be provided via TLS handshake or a special HTTP header, such as “ssl_client_cert”. When checking the validity of the provided client certificate, X509CredentialsAuth
nvd
CVE-2025-3986P3HIGHCVSS 7.5v5.2.62025-04-27
CVE-2025-3986 [HIGH] CWE-400 CVE-2025-3986: A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerabili A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerability affects unknown code of the file cas-5.2.6\core\cas-server-core-configuration-metadata-repository\src\main\java\org\apereo\cas\metadata\rest\CasConfigurationMetadataServerController.java. The manipulation of the argument Name leads to inefficient regul
nvd
CVE-2019-10754P3HIGHCVSS 8.1≤ 6.0.5.1v6.1.02019-09-23
CVE-2019-10754 [HIGH] CWE-338 CVE-2019-10754: Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 R Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
nvd
CVE-2020-27178P3HIGHCVSS 7.5≥ 5.3.0, < 5.3.16≥ 6.0.0, < 6.1.7.2+2 more2020-10-16
CVE-2020-27178 [HIGH] CVE-2020-27178: Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 m Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication.
nvd
CVE-2024-11207P4MEDIUMCVSS 5.4v6.6.02024-11-14
CVE-2024-11207 [MEDIUM] CWE-601 CVE-2024-11207: A vulnerability has been found in Apereo CAS 6.6 and classified as problematic. Affected by this vul A vulnerability has been found in Apereo CAS 6.6 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /login. The manipulation of the argument redirect_uri leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacte
nvd
CVE-2025-3985P4MEDIUMCVSS 4.9v5.2.62025-04-27
CVE-2025-3985 [MEDIUM] CWE-400 CVE-2025-3985: A vulnerability was found in Apereo CAS 5.2.6. It has been classified as problematic. This affects t A vulnerability was found in Apereo CAS 5.2.6. It has been classified as problematic. This affects the function ResponseEntity of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\ManageRegisteredServicesMultiActionController.java. The manipulation of the argument Query leads to inefficient reg
nvd
Apereo Central Authentication Service vulnerabilities | cvebase