CVE-2021-42567
MEDIUM EXPLOITED NUCLEIApereo CAS < 6.4.2 - Cross-Site Scripting via REST API POST Requests
Title source: llmExploitation Summary
CVE-2021-42567 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
Apereo CAS through 6.4.1 allows XSS via POST requests sent to the REST API endpoints.
Nuclei Templates (1)
Apereo CAS Cross-Site Scripting
MEDIUMby pdteam
Shodan:
http.title:'CAS - Central Authentication Service' || http.title:'cas - central authentication service'
FOFA:
title='cas - central authentication service'
References (2)
Core 2
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/apereo/cas/releases
Patch, Third Party Advisory x_refsource_confirm
https://apereo.github.io/2021/10/18/restvuln/
Scores
CVSS v3
6.1
EPSS
0.0806
EPSS Percentile
94.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
VulnCheck KEV
2024-01-22
CWE
CWE-79
Status
published
Products (2)
apereo/central_authentication_service
6.3.0 - 6.3.7.1
org.apereo.cas/cas-server-core-web
0 - 6.4.2Maven
Published
Dec 07, 2021
Tracked Since
Feb 18, 2026