Apereo: >> Central Authentication Service Security Vulnerabilities
Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication.
CVSS Score
7.5
EPSS Score
0.002
Published
2020-10-16
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
CVSS Score
8.1
EPSS Score
0.004
Published
2019-09-23
Apereo Central Authentication Service (CAS) Server before 3.5.3 allows remote attackers to conduct LDAP injection attacks via a crafted username, as demonstrated by using a wildcard and a valid password to bypass LDAP authentication.
CVSS Score
7.5
EPSS Score
0.003
Published
2015-02-10
Page 2