Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NApereo Central Authentication Service
APPApereo6.3.05.3.0 – 5.3.16 (bez)6.0.0 – 6.1.7.2 (bez)6.2.0 – 6.2.4 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Related vulnerabilities
CVE-2024-4399CRITICAL9.1PL ✓ten sam produkt
SSRF w Apereo Central Authentication Service — brak walidacji parametru
CVE-2023-4612CRITICAL9.8ten sam produkt
Improper Authentication vulnerability in Apereo CAS in jakarta.servlet.http.HttpServletRequest.getRemoteAddr m...
CVE-2019-10754HIGH8.1ten sam produkt
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStrin...
CVE-2015-1169HIGH7.5ten sam produkt
Apereo Central Authentication Service (CAS) Server before 3.5.3 allows remote attackers to conduct LDAP inject...
CVE-2025-3985MEDIUM5.1ten sam produkt
A vulnerability was found in Apereo CAS 5.2.6. It has been classified as problematic. This affects the functio...