26 matches found
CVE-2017-18924
oauth2-server aka node-oauth2-server through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not...
elytron-oidc-client: OIDC Authorization Code Injection
A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with t...
Moderate: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 8.0.7 security update
A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...
WildFly Elytron OpenID Connect Client ExtensionOIDC authorization code injection attack
Impact A vulnerability was found in OIDC-Client. When using the elytron-oidc-client subsystem with WildFly, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is...
GHSA-5565-3C98-G6JC WildFly Elytron OpenID Connect Client ExtensionOIDC authorization code injection attack
Impact A vulnerability was found in OIDC-Client. When using the elytron-oidc-client subsystem with WildFly, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is...
CVE-2025-24876
CVE-2025-24876 affects the SAP Approuter Node.js package, specifically version v16.7.1 and earlier. The vulnerability is an authentication bypass during the authorization code exchange, where an attacker can inject a malicious payload to steal the victim’s session. The practical impact is high co...
CVE-2025-24876 Authentication bypass via authorization code injection in SAP Approuter
The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code an attacker can steal the session of the victim by injecting malicious payload causing High impact on confidentiality and integrity of the application...
Insufficient Verification Of Data Authenticity
org.wildfly:wildfly-elytron-oidc-client-subsystem is vulnerable to authorization code injection. The vulnerability is due to improper session handling that allows an attacker to inject a stolen authorization code into their own session with a victim's identity, typically through a Man-in-the-Midd...
Duplicate Advisory: WildFly Elytron OpenID Connect Client Extension authorization code injection attack
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5565-3c98-g6jc. This link is maintained to preserve external references. Original Description A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the...
CVE-2024-12369
A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with t...
CVE-2024-12369
A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with t...
CVE-2024-12369
A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with t...
CVE-2024-12369 Elytron-oidc-client: oidc authorization code injection
A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with t...
CVE-2024-12369
CVE-2024-12369 affects the OpenID Connect client integration in WildFly/JBoss EAP via the OIDC Client (ELY-OIDC) subsystem. The flaw allows an attacker to inject a stolen authorization code into their own session, effectively impersonating a victim, typically via MitM or phishing. Affected compon...
CVE-2024-12369 Elytron-oidc-client: oidc authorization code injection
A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with t...
CVE-2024-12369
A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with t...
PT-2024-17571
Name of the Vulnerable Software and Affected Versions OIDC-Client versions prior to the fixed version EAP 7.x EAP 8.x Description A vulnerability was found in OIDC-Client, allowing authorization code injection attacks to occur when using the RH SSO OIDC adapter with EAP 7.x or the...
OIDC-Client 数据伪造问题漏洞
OIDC-Client is an IdentityModel open source library that provides OpenID Connect OIDC and OAuth2 protocol support for client-side, browser-based JavaScript client applications. OIDC-Client suffers from a data forgery issue vulnerability that stems from an authorization code injection attack that...
Code Injection
Overview oauth2-server aka node-oauth2-server through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid...
GHSA-2FW4-MGQ9-39CX Code Injection in oauth2-server
"oauth2-server aka node-oauth2-server through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not...