295 matches found
CVE-2020-7692 Improper Authorization
PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized...
PT-2020-19715 · Google · Google-Oauth-Client
Name of the Vulnerable Software and Affected Versions: com.google.oauth-client:google-oauth-client versions prior to 1.31.0 Description: The issue is related to the implementation of PKCE support for OAuth 2.0 in Native Apps, which does not follow the RFC. This allows an attacker to intercept the...
CVE-2020-13272
OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow...
CVE-2020-13272
Removed by vendor...
CVE-2020-13272
GitLab CVE-2020-13272 affects GitLab CE/EE versions 12.3 through 13.0.1, where the OAuth authorization code flow lacks verification checks. The root cause is missing verification in the OAuth flow, allowing an unverified user to complete the authorization code flow. Public details in connected do...
PT-2020-13413 · Oauth +1 · Oauth +1
Name of the Vulnerable Software and Affected Versions: OAuth versions 12.3 through 13.0.1 Description: The issue concerns the OAuth flow missing verification checks, allowing an unverified user to use the OAuth authorization code flow. Recommendations: For versions 12.3 through 13.0.1, update to ...
cxf: OpenId Connect token service does not properly validate the clientId
A flaw was found in cxf in versions prior to 3.2.11 and 3.3.4. The access token services do not properly validate that an authenticated principal is equal to that of the supplied clientId parameter allowing a malicious client to use an authorization code that has been issued to a different client...
Clever Phishing Attack Bypasses MFA to Nab Microsoft Office 365 Credentials
A new phishing campaign can bypass multi-factor authentication MFA on Office 365 to access victims’ data stored on the cloud and use it to extort a Bitcoin ransom or even find new victims to target, security researchers have found. Researchers at Cofense Phishing Defense Center discovered the...
cxf: OpenId Connect token service does not properly validate the clientId
A flaw was found in cxf in versions prior to 3.2.11 and 3.3.4. The access token services do not properly validate that an authenticated principal is equal to that of the supplied clientId parameter allowing a malicious client to use an authorization code that has been issued to a different client...
Unspecified Vulnerability in Mozilla Firefox (CNVD-2020-26228)
Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. An unspecified vulnerability exists in Mozilla Firefox. An attacker can exploit this vulnerability to obtain an authorization code and gain access to user accounts...
Error: No Licenses Associated with License Authorization Code Found in Licensing Portal
New Citrix Licensing Portal Error Message: “No licenses associated with that License Authorization Code were found. Please check the code and try again or contact Citrix Customer Service.”...
Cross-Site Request Forgery (CSRF)
auth0-aspnet and auth0-aspnet-owin is vulnerable to cross-site request forgery CSRF. The lack of use and verification of the state parameter in OAuth 2.0 and OpenID Connect protocols, which prevented the application from verifying the authenticity of requests, allows an attacker to inject their...
Authentication Bypass
cxf-rt-rs-security-oauth2 is vulnerable to authentication bypass. The vulnerability exists as the access token services does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. An attacker with a an authorization code that is issued to...
CVE-2019-12419
Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId paramet...
Design/Logic Flaw
Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId paramet...
CVE-2019-12419
CVE-2019-12419 affects Apache CXF OpenId Connect token service prior to CXF 3.3.4 and 3.2.11, where the authenticated principal is not validated against the supplied clientId in the request. This could allow an attacker who obtained an authorization code for one client to exchange it for an acces...
Spring Security OAuth - Open Redirector Vulnerability
Exploit for java platform in category web applications Exploit Title: Open Redirector in spring-security-oauth2 Exploit Author: Riemann Vendor Homepage: https://spring.io/projects/spring-security-oauth Software Link: https://spring.io Version: Spring Security OAuth versions 2.3 prior to 2.3.6...
Spring Security OAuth - Open Redirector
Spring Security OAuth - Open Redirector Exploit Title: Open Redirector in spring-security-oauth2 Date: 17 June 2019 Exploit Author: Riemann Vendor Homepage: https://spring.io/projects/spring-security-oauth Software Link: https://spring.io Version: Spring Security OAuth versions 2.3 prior to 2.3.6...
Spring Security OAuth - Open Redirector
Exploit Title: Open Redirector in spring-security-oauth2 Date: 17 June 2019 Exploit Author: Riemann Vendor Homepage: https://spring.io/projects/spring-security-oauth Software Link: https://spring.io Version: Spring Security OAuth versions 2.3 prior to 2.3.6...
Spring Security OAuth 2.3 Open Redirection
Exploit Title: Open Redirector in spring-security-oauth2 Date: 17 June 2019 Exploit Author: Riemann Vendor Homepage: https://spring.io/projects/spring-security-oauth Software Link: https://spring.io Version: Spring Security OAuth versions 2.3 prior to 2.3.6...