Gaãl Gosset

**Name of the Vulnerable Software and Affected Versions** Drupal Central Authentication System (CAS) Server versions prior to 2.0.3 Drupal Central Authentication System (CAS) Server versions 2.1.0 through 2.1.1 **Description** The Central Authentication System (CAS) Server module for Drupal does not adequately sanitize user-provided field values when configured as attributes in a CAS server response, leading to an XML Element Injection issue. An attacker must be authenticated and have the ability to input XML into a user entity field that is configured as a CAS Attribute source to exploit this. **Recommendations** Update Drupal Central Authentication System (CAS) Server to version 2.0.3 or later. Update Drupal Central Authentication System (CAS) Server to version 2.1.2 or later.