CVE-2021-42567 Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.

1. Vulnerability Properties

Title: Apereo CAS through 6.4.1 allows Reflected Cross-Site Scripting via POST requests sent to the REST API endpoints
CVE ID: CVE-2021-42567
CVSSv3 Base Score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vendor: Apereo
Products: CAS - Central Authentication Server
Advisory Release Date: 12-05-2022
Advisory URL: https://labs.integrity.pt/advisories/cve-2021-42567
Credits: Discovery by Caio Farias <caio.farias[at]devoteam.com> and Henrique Mendes <hcm[at]integrity.pt>

2. Vulnerability Summary

The application fails to sanitize the input in the requests sent to the REST API endpoint. This input is echoed in the REST API which has the content-type as text/html, leading to a reflected XSS.

3. Vulnerable Versions

  • 6.3.x
  • 6.4.x

4. Solution

  • Update to versions 6.3.7.1, 6.4.2 or higher

5. Vulnerability Timeline

  • 13/Oct/21  -  Bug reported to Apereo
  • 16/Oct/21 - Bug verified by vendor
  • 12/May/22 - Advisory released

6. References

  • https://apereo.github.io/2021/10/18/restvuln/
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42567


© 2022 Integrity Part of Devoteam. All rights reserved.