| Title | Apereo CAS 6.6 Authentication Bypass Issues |
|---|
| Description | The web application allows the reuse of an _execution_ generated during the authentication process, which enables bypassing critical validation steps, such as credential verification, CAPTCHA, and OTP code entry. The _execution_ generated after the OTP input can be captured from a valid session and reused in subsequent login attempts, allowing an attacker to bypass all required authentication steps and gain direct access to the application without providing valid credentials or an OTP.
This enables attackers to compromise the authentication process, facilitating unauthorized access to the application without the need for valid credentials or OTP verification. This could result in the compromise of user accounts, including privileged accounts, and expose the system to further attacks, such as data theft, information manipulation, and malicious actions within the authenticated environment. |
|---|
| Source | ⚠️ https://gist.github.com/0xArthurSouza/281e8ea8a797abc8371a8ced31dc5562 |
|---|
| User | Arthur Souza (UID 76781) |
|---|
| Submission | 11/05/2024 01:37 (2 years ago) |
|---|
| Moderation | 11/14/2024 07:53 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 284523 [Apereo CAS 6.6 2FA /login?service improper authentication] |
|---|
| Points | 20 |
|---|