CVE-2010-3690:phpcas: Multiple cross-site scripting (XSS) vulnerabilities...

VRDA Feed by

Vulnerability Response Decision Assistance Feed : Information for vulnerability impact analysis

[ about VRDA Feed | JPCERT/CC ]

Vulnerability Analysis Result (Revision No : 1)

[ Download XML ]

CVE-2010-3690

phpcas: Multiple cross-site scripting (XSS) vulnerabilities...

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3690

Original

Multiple cross-site scripting (XSS) vulnerabilities in phpCAS before 1.1.3, when proxy mode is enabled, allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Proxy Granting Ticket IOU (PGTiou) parameter to the callback function in client.php, (2) vectors involving functions that make getCallbackURL calls, or (3) vectors involving functions that make getURL calls.

Translation (Show)

About This Analysis Information

Analysis Information Provider:

NIST NVD

First Published:

2010-10-07

Source Information Category:

Advisory, Alert

Last Updated:

2010-10-08

Affected Product Tags

cpe:/a:jasig:phpcas:0.2

cpe:/a:jasig:phpcas:0.3

cpe:/a:jasig:phpcas:0.3.1

cpe:/a:jasig:phpcas:0.3.2

cpe:/a:jasig:phpcas:0.4

cpe:/a:jasig:phpcas:0.4.1

cpe:/a:jasig:phpcas:0.4.10

cpe:/a:jasig:phpcas:0.4.11

cpe:/a:jasig:phpcas:0.4.12

cpe:/a:jasig:phpcas:0.4.13

cpe:/a:jasig:phpcas:0.4.14

cpe:/a:jasig:phpcas:0.4.15

cpe:/a:jasig:phpcas:0.4.16

cpe:/a:jasig:phpcas:0.4.17

cpe:/a:jasig:phpcas:0.4.18

cpe:/a:jasig:phpcas:0.4.19

cpe:/a:jasig:phpcas:0.4.20

cpe:/a:jasig:phpcas:0.4.21

cpe:/a:jasig:phpcas:0.4.22

cpe:/a:jasig:phpcas:0.4.23

cpe:/a:jasig:phpcas:0.4.8

cpe:/a:jasig:phpcas:0.4.9

cpe:/a:jasig:phpcas:0.5.0

cpe:/a:jasig:phpcas:0.5.1

cpe:/a:jasig:phpcas:0.6.0

cpe:/a:jasig:phpcas:1.0.0

cpe:/a:jasig:phpcas:1.0.1

cpe:/a:jasig:phpcas:1.1.0

cpe:/a:jasig:phpcas:1.1.1

cpe:/a:jasig:phpcas:1.1.2 and previous versions

Vulnerability Analysis Results

[Access Vector] ^[?]

Undefined^[?]

Local^[?]

Adjacent Network^[?]

Network^[?]

[Access Complexit] ^[?]

Undefined^[?]

High^[?]

Medium^[?]

Low^[?]

[Authentication] ^[?]

Undefined^[?]

Multiple^[?]

Single^[?]

None^[?]

[Confidentiality Impact] ^[?]

Undefined^[?]

None^[?]

Partial^[?]

Complete^[?]

[Integrity Impact] ^[?]

Undefined^[?]

None^[?]

Partial^[?]

Complete^[?]

[Availability Impact] ^[?]

Undefined^[?]

None^[?]

Partial^[?]

Complete^[?]

Alternatives

References

CONFIRM https://issues.jasig.org/browse/PHPCAS-80

CONFIRM https://developer.jasig.org/source/changelog/jasigsvn?cs=21538

CONFIRM http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495542#82

MLIST [oss-security] 20101001 Re: CVE request - phpCAS: prevent symlink attacks, directory traversal and XSS during a proxy callback

MLIST [oss-security] 20100929 CVE request - phpCAS: prevent symlink attacks, directory traversal and XSS during a proxy callback

Vulnerability Type Cross-Site Scripting (XSS) (CWE-79)