Marvin S. Addison discovered that Jasig phpCAS, a PHP library for the
CAS authentication protocol, did not encode tickets before adding them
to an URL, creating a possibility for cross site scripting.
For the stable distribution (wheezy), this problem has been fixed in
version 1.3.1-4+deb7u1.
The unstable distribution (sid) will be fixed soon.
We recommend that you upgrade your php-cas packages.