Debian Linux Security Advisory 3017-1 - Marvin S. Addison discovered that Jasig phpCAS, a PHP library for the CAS authentication protocol, did not encode tickets before adding them to an URL, creating a possibility for cross site scripting.
bc5a63f1ac06cd36d7a8fab0eda47982012e60a2fd52372d7bc36def64dd38b3