CVE-2010-3690: XSS
First published: Thu Oct 07 2010(Updated: )
Multiple cross-site scripting (XSS) vulnerabilities in phpCAS before 1.1.3, when proxy mode is enabled, allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Proxy Granting Ticket IOU (PGTiou) parameter to the callback function in client.php, (2) vectors involving functions that make getCallbackURL calls, or (3) vectors involving functions that make getURL calls.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apereo phpCAS | =0.2 | |
| Apereo phpCAS | =0.3 | |
| Apereo phpCAS | =0.3.1 | |
| Apereo phpCAS | =0.3.2 | |
| Apereo phpCAS | =0.4 | |
| Apereo phpCAS | =0.4.1 | |
| Apereo phpCAS | =0.4.8 | |
| Apereo phpCAS | =0.4.9 | |
| Apereo phpCAS | =0.4.10 | |
| Apereo phpCAS | =0.4.11 | |
| Apereo phpCAS | =0.4.12 | |
| Apereo phpCAS | =0.4.13 | |
| Apereo phpCAS | =0.4.14 | |
| Apereo phpCAS | =0.4.15 | |
| Apereo phpCAS | =0.4.16 | |
| Apereo phpCAS | =0.4.17 | |
| Apereo phpCAS | =0.4.18 | |
| Apereo phpCAS | =0.4.19 | |
| Apereo phpCAS | =0.4.20 | |
| Apereo phpCAS | =0.4.21 | |
| Apereo phpCAS | =0.4.22 | |
| Apereo phpCAS | =0.4.23 | |
| Apereo phpCAS | =0.5.0 | |
| Apereo phpCAS | =0.5.1 | |
| Apereo phpCAS | =0.6.0 | |
| Apereo phpCAS | =1.0.0 | |
| Apereo phpCAS | =1.0.1 | |
| Apereo phpCAS | =1.1.0 | |
| Apereo phpCAS | =1.1.1 | |
| Apereo phpCAS | <=1.1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2010/10/01/2
- http://www.openwall.com/lists/oss-security/2010/09/29/6
- https://issues.jasig.org/browse/PHPCAS-80
- http://www.openwall.com/lists/oss-security/2010/10/01/5
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495542#82
- https://developer.jasig.org/source/changelog/jasigsvn?cs=21538
- http://www.vupen.com/english/advisories/2010/2705
- http://secunia.com/advisories/41878
- http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049602.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049600.html
- http://www.securityfocus.com/bid/43585
- http://www.vupen.com/english/advisories/2010/2909
- http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050415.html
- http://secunia.com/advisories/42184
- http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050428.html
- https://forge.indepnet.net/projects/glpi/repository/revisions/12601
- http://secunia.com/advisories/42149
- http://secunia.com/advisories/43427
- http://www.vupen.com/english/advisories/2011/0456
- http://www.debian.org/security/2011/dsa-2172
Frequently Asked Questions
What is the severity of CVE-2010-3690?
CVE-2010-3690 is considered a medium severity vulnerability due to its potential for cross-site scripting attacks.
How do I fix CVE-2010-3690?
To fix CVE-2010-3690, upgrade to phpCAS version 1.1.3 or later where the vulnerabilities have been patched.
What software versions are affected by CVE-2010-3690?
CVE-2010-3690 affects multiple versions of phpCAS prior to 1.1.3.
Can CVE-2010-3690 lead to data compromise?
Yes, CVE-2010-3690 can lead to data compromise through cross-site scripting, enabling attackers to inject malicious scripts.
Is authentication compromised due to CVE-2010-3690?
While CVE-2010-3690 primarily involves XSS, it can indirectly affect authentication by allowing attackers to capture credentials.
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/type
- agent/event
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/apereo
- canonical/apereo phpcas
- version/apereo phpcas/0.2
- version/apereo phpcas/0.3
- version/apereo phpcas/0.3.1
- version/apereo phpcas/0.3.2
- version/apereo phpcas/0.4
- version/apereo phpcas/0.4.1
- version/apereo phpcas/0.4.8
- version/apereo phpcas/0.4.9
- version/apereo phpcas/0.4.10
- version/apereo phpcas/0.4.11
- version/apereo phpcas/0.4.12
- version/apereo phpcas/0.4.13
- version/apereo phpcas/0.4.14
- version/apereo phpcas/0.4.15
- version/apereo phpcas/0.4.16
- version/apereo phpcas/0.4.17
- version/apereo phpcas/0.4.18
- version/apereo phpcas/0.4.19
- version/apereo phpcas/0.4.20
- version/apereo phpcas/0.4.21
- version/apereo phpcas/0.4.22
- version/apereo phpcas/0.4.23
- version/apereo phpcas/0.5.0
- version/apereo phpcas/0.5.1
- version/apereo phpcas/0.6.0
- version/apereo phpcas/1.0.0
- version/apereo phpcas/1.0.1
- version/apereo phpcas/1.1.0
- version/apereo phpcas/1.1.1
- version/apereo phpcas/1.1.2