CVE-2021-42567 Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.

1. Vulnerability Properties

Title: Apereo CAS through 6.4.1 allows Reflected Cross-Site Scripting via POST requests sent to the REST API endpoints
CVE ID: CVE-2021-42567
CVSSv3 Base Score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vendor: Apereo
Products: CAS - Central Authentication Server
Advisory Release Date: 12-05-2022
Advisory URL:
Credits: Discovery by Caio Farias <caio.farias[at]> and Henrique Mendes <hcm[at]>

2. Vulnerability Summary

The application fails to sanitize the input in the requests sent to the REST API endpoint. This input is echoed in the REST API which has the content-type as text/html, leading to a reflected XSS.

3. Vulnerable Versions

  • 6.3.x
  • 6.4.x

4. Solution

  • Update to versions, 6.4.2 or higher

5. Vulnerability Timeline

  • 13/Oct/21  -  Bug reported to Apereo
  • 16/Oct/21 - Bug verified by vendor
  • 12/May/22 - Advisory released

6. References


© 2023 Devoteam Cyber Trust. All rights reserved. | Cookie Policy

Cookie Consent X

Integrity S.A. uses cookies for analytical and more personalized information presentation purposes, based on your browsing habits and profile. For more detailed information, see our Cookie Policy.