Lomilar

**Name of the Vulnerable Software and Affected Versions** CaSS Library versions prior to 1.5.8 **Description** CaSS Library has a missing cryptographic step when storing cryptographic keys, allowing a server administrator access to an account's cryptographic keys. This issue affects CaSS servers using standalone username/password authentication, which expects end-to-end cryptographic security of authorization credentials. The issue may be mitigated by using SSO or client-side certificates to log in. **Recommendations** For versions prior to 1.5.8, update to version 1.5.8 to patch the issue. Note that vulnerable accounts are only resecured when the user next logs in using standalone authentication. As a temporary workaround, consider using SSO or client-side certificates to log in, as these methods do not have the same expectation of no-knowledge credential access.