UBUNTU-CVE-2014-4172

Source
https://ubuntu.com/security/CVE-2014-4172
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2014/UBUNTU-CVE-2014-4172.json
JSON Data
https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2014-4172
Related
Published
2020-01-24T19:15:00Z
Modified
2025-01-13T10:21:06Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via the (1) service parameter to validation/AbstractUrlBasedTicketValidator.java or (2) pgtUrl parameter to validation/Cas20ServiceTicketValidator.java.

References

Affected packages

Ubuntu:16.04:LTS / php-cas

Package

Name
php-cas
Purl
pkg:deb/ubuntu/php-cas@1.3.3-1?arch=source&distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.3-1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.3.3-1",
            "binary_name": "php-cas"
        }
    ]
}