| Topic: | XSS vulnerabilty in the phpcas module |
| Severity/Risk: | Major (if using CAS) |
| Versions affected: | <1.8.12 and <1.9.8 |
| Reported by: | Joachim Fritschi |
| Issue no.: | MDL-21802 |
| Solution: | upgrade to 1.8.12 or 1.9.8 |
| Workaround: | use CAS/Client.php from latest release |
Description:
We have backported a fix for a security problem fixed in recent version of PHP CAS client library - http://www.ja-sig.org/issues/browse/PHPCAS-52. The problem can be exploited only if CAS authentication is enabled and used on your site.