Hi, As explained briefly in the first post, it's a cross-site scripting vulnerability. Which is unfortunately a regular security problem... I recommend you take a look at the Top 10 vulnerabilities referenced by OWASP: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project. Best regards, Jérôme
2014-05-07 6:49 GMT+02:00 Abdulbasith S <[email protected]>: > Is there a history or detailed about what was the vulnerability found ? > > Would help us others when we do the customization. > > > Thanks and Regards, > Abdul Basith S > > > > From: Jérôme LELEU <[email protected]> To: [email protected] Cc: > [email protected], [email protected], [email protected] Date: 05/06/2014 > 09:39 PM Subject: Re: [cas-user] Critical vulnerabilitie CAS 3.5.2 > ------------------------------ > > > > Hi, > > After further investigations, the vulnerability comes from a customization > added to the CAS server and not from the CAS server itself. > One must always be careful when it comes to customization. > Thanks for reporting anyway. > Best regards, > Jérôme > > > > On Monday, May 5, 2014 4:16:26 PM UTC+2, Malarvizhi Perumalraja wrote: > Okay Thank you > > > > *From:* Scott Battaglia [mailto:*[email protected]*] > * Sent:* Monday, May 05, 2014 10:00 AM > * To:* *[email protected]* > * Subject:* Re: [cas-user] Critical vulnerabilitie CAS 3.5.2 > > > > Please contact the security group: > > *https://wiki.jasig.org/display/JSG/Security+Contact+Group*<https://wiki.jasig.org/display/JSG/Security+Contact+Group> > > > > if you feel you may have found a vulnerability, providing as many details > as possible. > > > > Thanks! > > Scott > > > > On Mon, May 5, 2014 at 9:50 AM, Malarvizhi Perumalraja < > *[email protected]*> wrote: > > Hi, > > We recently upgraded to CAS 3.5.2 version. Today our security software > detected a cross-site scripting Critical vulnerabilities on our CAS > website. > > Does anyone else have the same issue. Please advise what actions needs to > be taken. Is there any security patch? > > > > Thanks > > Malar > > > > > > This email is intended for the designated recipient only, and may be > confidential, non-public, proprietary, protected by the attorney/client or > other privilege. Unauthorized reading, distribution, copying or other use > of this communication is prohibited and may be unlawful. Receipt by anyone > other than the intended recipients should not be deemed a waiver of any > privilege or protection. If you are not the intended recipient or if you > believe that you have received this email in error, please notify the > sender immediately and delete all copies from your computer system without > reading, saving, or using it in any manner. Although it has been checked > for viruses and other malicious software, malware, we do not warrant, > represent or guarantee in any way that this communication is free of > malware or potentially damaging defects. All liability for any actual or > alleged loss, damage, or injury arising out of or resulting in any way from > the receipt, opening or use of this email is expressly disclaimed. > > -- > You are currently subscribed to *[email protected]* as: > *[email protected]* > To unsubscribe, change settings or access archives, see > *http://www.ja-sig.org/wiki/display/JSG/cas-user*<http://www.ja-sig.org/wiki/display/JSG/cas-user> > > > > > -- > You are currently subscribed to *[email protected]* as: > *[email protected]* > To unsubscribe, change settings or access archives, see > *http://www.ja-sig.org/wiki/display/JSG/cas-user*<http://www.ja-sig.org/wiki/display/JSG/cas-user> > > This email is intended for the designated recipient only, and may be > confidential, non-public, proprietary, protected by the attorney/client or > other privilege. Unauthorized reading, distribution, copying or other use > of this communication is prohibited and may be unlawful. Receipt by anyone > other than the intended recipients should not be deemed a waiver of any > privilege or protection. If you are not the intended recipient or if you > believe that you have received this email in error, please notify the > sender immediately and delete all copies from your computer system without > reading, saving, or using it in any manner. Although it has been checked > for viruses and other malicious software, malware, we do not warrant, > represent or guarantee in any way that this communication is free of > malware or potentially damaging defects. All liability for any actual or > alleged loss, damage, or injury arising out of or resulting in any way from > the receipt, opening or use of this email is expressly disclaimed. > > -- > You are currently subscribed to *[email protected]* as: > *[email protected]* > To unsubscribe, change settings or access archives, see > *http://www.ja-sig.org/wiki/display/JSG/cas-user*<http://www.ja-sig.org/wiki/display/JSG/cas-user> > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > =====-----=====-----===== > Notice: The information contained in this e-mail > message and/or attachments to it may contain > confidential or privileged information. If you are > not the intended recipient, any dissemination, use, > review, distribution, printing or copying of the > information contained in this e-mail message > and/or attachments to it are strictly prohibited. If > you have received this communication in error, > please notify us by reply e-mail or telephone and > immediately and permanently delete the message > and any attachments. Thank you > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
