PT-2026-5243 · Drupal · Central Authentication System (Cas) Server
Gaãl Gosset
+4
·
Published
2026-01-28
·
Updated
2026-02-11
·
CVE-2026-1554
CVSS v3.1
4.2
Medium
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Drupal Central Authentication System (CAS) Server versions prior to 2.0.3
Drupal Central Authentication System (CAS) Server versions 2.1.0 through 2.1.1
Description
The Central Authentication System (CAS) Server module for Drupal does not adequately sanitize user-provided field values when configured as attributes in a CAS server response, leading to an XML Element Injection issue. An attacker must be authenticated and have the ability to input XML into a user entity field that is configured as a CAS Attribute source to exploit this.
Recommendations
Update Drupal Central Authentication System (CAS) Server to version 2.0.3 or later.
Update Drupal Central Authentication System (CAS) Server to version 2.1.2 or later.
Fix
LPE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Central Authentication System (Cas) Server