CVE-2010-3690

Name of the Vulnerable Software and Affected Versions phpCAS versions prior to 1.1.3

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via a crafted PGTiou parameter to the callback function in client.php, or through vectors involving functions that make getCallbackURL calls, or vectors involving functions that make getURL calls.

Recommendations For phpCAS versions prior to 1.1.3, update to version 1.1.3 or later to resolve the issue. As a temporary workaround, consider disabling proxy mode until a patch is available. Restrict access to the callback function in client.php to minimize the risk of exploitation. Avoid using the PGTiou parameter in the affected API endpoint until the issue is resolved.