CVE-2016-3098

Cross-site request forgery CSRF vulnerability in administrate 0.1.4 and earlier allows remote attackers to hijack the user's OAuth autorization code...

Denial Of Service (DoS)

org.springframework.security:spring-security-oauth2-client is vulnerable to denial of service DoS attacks. An attacker is able to cause resource exhaustion via sending multiple requests initiating the authorization request for the authorization code grant using a single session or multiple...

spring-security: Denial-of-Service (DoS) attack via initiation of Authorization Request

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service DoS attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker c...

CVE-2020-26877

ApiFest OAuth 2.0 Server 0.3.1 does not validate the redirect URI in accordance with RFC 6749 and is susceptible to an open redirector attack. Specifically, it directly sends an authorization code to the redirect URI submitted with the authorization request, without checking whether the redirect...

CVE-2020-26877

ApiFest OAuth 2.0 Server 0.3.1 does not validate the redirect URI in accordance with RFC 6749 and is susceptible to an open redirector attack. Specifically, it directly sends an authorization code to the redirect URI submitted with the authorization request, without checking whether the redirect...

Authorization

ApiFest OAuth 2.0 Server 0.3.1 does not validate the redirect URI in accordance with RFC 6749 and is susceptible to an open redirector attack. Specifically, it directly sends an authorization code to the redirect URI submitted with the authorization request, without checking whether the redirect...

ApiFest OAuth 2.0 Server 输入验证错误漏洞

ApiFest OAuth 2.0 Server is ApiFest open source an OAuth 2.0 protocol ApiFest OAuth 2.0 Server Java implementation . A security vulnerability exists in ApiFest OAuth 2.0 Server version 0.3.1, which stems from not validating the redirect URI according to RFC 6749, which can be exploited by an...

Malicious code in uphold-authorization-code-oauth-sample (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5f9fcf4a7641090bcac961c4bf198b220a96562cb48390c5bf3bc8ed1053de38 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-6805 Malicious code in uphold-authorization-code-oauth-sample (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5f9fcf4a7641090bcac961c4bf198b220a96562cb48390c5bf3bc8ed1053de38 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in uphold-authorization-code-oauth (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8e98b7280da6cbb8c745119a06b97f7c1c78e2f55333d2cb612565044e85008d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-6804 Malicious code in uphold-authorization-code-oauth (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8e98b7280da6cbb8c745119a06b97f7c1c78e2f55333d2cb612565044e85008d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Exploit for Insufficient Verification of Data Authenticity in Jetbrains Hub

CVE-2022-25262 PoC + vulnerability details for CVE-2022-25262...

Denial Of Service (DoS)

Spring Security OAuth is vulnerable to denial of service. The vulnerability exists due to a lack of restriction of the number of request initiating the Authorization Request for the Authorization Code Grant allowing an attacker to exhaust the system resources sending multiple requests with a sing...

GHSA-C2CP-3XJ9-97W9 Denial of service in Spring Security OAuth2

Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service DoS attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker can send multiple requests initiating the...

CVE-2022-22969

Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service DoS attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker can send multiple requests initiating the...

OAuth consent phishing, in the wild

TL;DR An interesting incident response investigation showed exploitation of a recent OAuth related consent-phishing issue. We had been asked to investigate as the organisation had noticed some odd behaviours in the mailbox of one of the exec team. The mailbox was being queried using GraphAPI and...

GHSA-F263-C949-W85G Improper Authorization in Google OAuth Client

PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized...

GHSA-W9JG-GVGR-354M Resource Exhaustion in Spring Security

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service DoS attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker c...

CVE-2021-22119

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service DoS attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker c...

Code Injection

Overview oauth2-server aka node-oauth2-server through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid...