José Tozo

**Name of the Vulnerable Software and Affected Versions** Apereo Central Authentication Service (CAS) Server versions prior to 3.5.3 **Description** The issue allows remote attackers to conduct LDAP injection attacks via a crafted `username`, potentially bypassing LDAP authentication. This can be achieved by using a wildcard and a valid `password`. **Recommendations** For versions prior to 3.5.3, update to version 3.5.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the LDAP authentication mechanism until the update is applied. Avoid using wildcard characters in the `username` field to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Innovative vtls-Virtua versions prior to 2013.2.4 Innovative vtls-Virtua versions 2014.x prior to 2014.1.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `username` or `password` parameter in the login functionality of the web reports/cgi-bin/InfoStation.cgi endpoint. **Recommendations** For versions prior to 2013.2.4, update to version 2013.2.4 or later. For versions 2014.x prior to 2014.1.1, update to version 2014.1.1 or later.