CVE-2010-3690

medium

Description

Multiple cross-site scripting (XSS) vulnerabilities in phpCAS before 1.1.3, when proxy mode is enabled, allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Proxy Granting Ticket IOU (PGTiou) parameter to the callback function in client.php, (2) vectors involving functions that make getCallbackURL calls, or (3) vectors involving functions that make getURL calls.

References

https://issues.jasig.org/browse/PHPCAS-80

https://forge.indepnet.net/projects/glpi/repository/revisions/12601

https://developer.jasig.org/source/changelog/jasigsvn?cs=21538

http://www.vupen.com/english/advisories/2011/0456

http://www.vupen.com/english/advisories/2010/2909

http://www.vupen.com/english/advisories/2010/2705

http://www.securityfocus.com/bid/43585

http://www.openwall.com/lists/oss-security/2010/10/01/5

http://www.openwall.com/lists/oss-security/2010/10/01/2

http://www.openwall.com/lists/oss-security/2010/09/29/6

http://www.debian.org/security/2011/dsa-2172

http://secunia.com/advisories/43427

http://secunia.com/advisories/42184

http://secunia.com/advisories/42149

http://secunia.com/advisories/41878

http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049602.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049600.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050428.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050415.html

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495542#82

Details

Source: Mitre, NVD

Published: 2010-10-07

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium