Multiple cross-site scripting (XSS) vulnerabilities in phpCAS before 1.1.3, when proxy mode is enabled, allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Proxy Granting Ticket IOU (PGTiou) parameter to the callback function in client.php, (2) vectors involving functions that make getCallbackURL calls, or (3) vectors involving functions that make getURL calls.
bugs.debian.org/cgi-bin/bugreport.cgi?bug=495542
secunia.com/advisories/41878
secunia.com/advisories/42149
secunia.com/advisories/42184
secunia.com/advisories/43427
www.debian.org/security/2011/dsa-2172
www.openwall.com/lists/oss-security/2010/09/29/6
www.openwall.com/lists/oss-security/2010/10/01/2
www.openwall.com/lists/oss-security/2010/10/01/5
www.securityfocus.com/bid/43585
www.vupen.com/english/advisories/2010/2705
www.vupen.com/english/advisories/2010/2909
www.vupen.com/english/advisories/2011/0456
developer.jasig.org/source/changelog/jasigsvn?cs=21538
forge.indepnet.net/projects/glpi/repository/revisions/12601
issues.jasig.org/browse/PHPCAS-80
lists.fedoraproject.org/pipermail/package-announce/2010-November/050415.html
lists.fedoraproject.org/pipermail/package-announce/2010-November/050428.html
lists.fedoraproject.org/pipermail/package-announce/2010-October/049600.html
lists.fedoraproject.org/pipermail/package-announce/2010-October/049602.html