Debian Php-Cas vulnerabilities

CVE-2022-39369 [HIGH] CVE-2022-39369: php-cas - phpCAS is an authentication library that allows PHP applications to easily authe... phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server. The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm

CVE-2017-1000071 [HIGH] CVE-2017-1000071: php-cas - Jasig phpCAS version 1.3.4 is vulnerable to an authentication bypass in the vali... Jasig phpCAS version 1.3.4 is vulnerable to an authentication bypass in the validateCAS20 function when configured to authenticate against an old CAS server. Scope: local bookworm: resolved (fixed in 1.3.6-1) bullseye: resolved (fixed in 1.3.6-1) forky: resolved (fixed in 1.3.6-1) sid: resolved (fixed in 1.3.6-1) trixie: resolved (fixed in 1.3.6-1)

CVE-2014-4172 [CRITICAL] CVE-2014-4172: php-cas - A URL parameter injection vulnerability was found in the back-channel ticket val... A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via the (1) service parameter to validation/AbstractUrlBasedTicketValidator.java or (2) pgtUr

CVE-2012-5583 [MEDIUM] CVE-2012-5583: php-cas - phpCAS before 1.3.2 does not verify that the server hostname matches a domain na... phpCAS before 1.3.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Scope: local bookworm: resolved (fixed in 1.3.1-2) bullseye: resolved (fixed in 1.3.1-2) forky: resolve