Title: Apereo CAS through 6.4.1 allows Reflected Cross-Site Scripting via POST requests sent to the REST API endpoints
CVE ID: CVE-2021-42567
CVSSv3 Base Score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Products: CAS - Central Authentication Server
Advisory Release Date: 15-11-2021
Advisory URL: https://labs.integrity.pt/advisories/cve-2021-42567
Credits: Discovery by Caio Farias <caio.farias[at]devoteam.com> and Henrique Mendes <hcm[at]integrity.pt>
The application fails to sanitize the input in the requests sent to the REST API endpoint. This input is echoed in the REST API which has the content-type as text/html, leading to a reflected XSS.