Lucene search
+L

193 matches found

Spring Security Advisories
Spring Security Advisories
added 2022/03/29 7:0 a.m.28 views

This Week in Spring - March 29th, 2022

Aloha, Spring fans, from beautiful Maui, Hawaii, where I am with my family on a bit of vacation. Its our daughters Spring break and so were enjoying the family time while we can get it! I wanted to take a brief interlude in between the never-enough time on the beach and all the rum to get this...

7.1AI score
Exploits0
CNVD
CNVD
added 2021/10/31 12:0 a.m.51 views

ISC BIND Denial of Service Vulnerability (CNVD-2023-25100)

ISC BIND is an open source software implementation of the DNS protocol from ISC, Inc. A denial-of-service vulnerability exists in BIND, which stems from an error in the corresponding processing of the product's authorization server. An attacker could exploit the vulnerability to cause a performan...

5CVSS5.6AI score0.08001EPSS
Exploits0Affected Software3
CNNVD
CNNVD
added 2021/10/27 12:0 a.m.3 views

ISC BIND 资源管理错误漏洞

ISC BIND is an open source software implementation of the DNS protocol from ISC, Inc. A denial-of-service vulnerability exists in BIND, which stems from an error in the corresponding processing of the product's authorization server. An attacker could exploit the vulnerability to cause a performan...

5.3CVSS5.7AI score0.08001EPSS
Exploits0References49
OSV
OSV
added 2021/09/28 4:16 p.m.37 views

GHSA-F263-C949-W85G Improper Authorization in Google OAuth Client

PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized...

7.4CVSS8.3AI score0.01587EPSS
Exploits1References9
vulnersOsv
vulnersOsv
added 2021/05/13 10:31 p.m.6 views

org.hspconsortium.reference:hspc-reference-auth-server-webapp (>=0.11 <=1.15.3), org.hspconsortium:hsp-authorization-server (=0.8) +1 more potentially affected by CVE-2021-27582 via org.mitre:openid-connect-parent (>=1.2.0 <=1.3.1)

org.mitre:openid-connect-parent MAVEN version =1.2.0, =0.11, =1.15.3 - org.hspconsortium:hsp-authorization-server =0.8 - org.hspconsortium:hsp-reference-authorization =0.8 Source cves: CVE-2021-27582 Source advisory: OSV:GHSA-8P36-Q63G-68QH...

9.1CVSS7.2AI score0.02222EPSS
Exploits1
NVD
NVD
added 2021/04/02 10:15 a.m.23 views

CVE-2021-22696

CXF supports via JwtRequestCodeFilter passing OAuth 2 parameters via a JWT token as opposed to query parameters see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request JAR. Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from...

7.5CVSS0.06593EPSS
Exploits0References9
Veracode
Veracode
added 2021/03/26 3:53 a.m.18 views

Server Side Request Forgery (SSRF)

MITREid Connect is vulnerable to Server Side Request Forgery SSRF. An attacker is able to request any URL accessible from the authorization server and display its content, leading to a Server Side Request Forgery attack via logouri parameter during registration process. Moreover, a lack of...

9.1CVSS1.7AI score0.01494EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2021/03/15 5:15 p.m.5 views

CVE-2020-25239

A vulnerability has been identified in SINEMA Remote Connect Server All versions V3.0. The webserver could allow unauthorized actions via special urls for unpriviledged users. The settings of the UMC authorization server could be changed to add a rogue server by an attacker authenticating with...

8.8CVSS7.2AI score0.0094EPSS
Exploits0References1
NVD
NVD
added 2021/03/15 5:15 p.m.27 views

CVE-2020-25239

A vulnerability has been identified in SINEMA Remote Connect Server All versions V3.0. The webserver could allow unauthorized actions via special urls for unpriviledged users. The settings of the UMC authorization server could be changed to add a rogue server by an attacker authenticating with...

8.8CVSS0.0094EPSS
Exploits0References1
Cvelist
Cvelist
added 2021/03/15 5:3 p.m.30 views

CVE-2020-25239

A vulnerability has been identified in SINEMA Remote Connect Server All versions V3.0. The webserver could allow unauthorized actions via special urls for unpriviledged users. The settings of the UMC authorization server could be changed to add a rogue server by an attacker authenticating with...

8.4AI score0.0094EPSS
Exploits0References1
CVE
CVE
added 2021/03/15 5:3 p.m.51 views

CVE-2020-25239

CVE-2020-25239 affects SINEMA Remote Connect Server (all versions prior to v3.0). The vulnerability is an Incorrect Authorization (CWE-863) where a webserver could allow unauthorized actions via special URLs for unprivileged users, enabling an attacker authenticated with limited rights to modify ...

8.8CVSS8.3AI score0.0094EPSS
Exploits0References1Affected Software1
CNVD
CNVD
added 2021/03/09 12:0 a.m.6 views

Siemens SINEMA Remote Connect Server Incorrect Authorization Vulnerability

Siemens SINEMA Remote Connect Server is a remote network management platform from Siemens, Germany. The platform is used to remotely access, maintain, control and diagnose the underlying network. An incorrect authorization vulnerability exists in Siemens SINEMA Remote Connect Server. An attacker...

8.8CVSS7.2AI score0.0094EPSS
Exploits0References1
OSV
OSV
added 2020/11/24 9:21 p.m.7 views

GHSA-MJCR-RQJG-RHG3 Implementation trusts the "me" field returned by the authorization server without verifying it

Impact A malicious user can sign in as a user with any IndieAuth identifier. This is because the implementation does not verify that the final "me" URL value returned by the authorization server belongs to the same domain as the initial value entered by the user. Patches Version 1.1 fixes this...

6.9AI score
Exploits0References4
Github Security Blog
Github Security Blog
added 2020/11/24 9:21 p.m.30 views

Implementation trusts the "me" field returned by the authorization server without verifying it

Impact A malicious user can sign in as a user with any IndieAuth identifier. This is because the implementation does not verify that the final "me" URL value returned by the authorization server belongs to the same domain as the initial value entered by the user. Patches Version 1.1 fixes this...

2.9AI score
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added 2020/07/13 1:52 p.m.25 views

CVE-2020-7692

PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized...

6.4CVSS3.1AI score0.01587EPSS
Exploits1References3
OSV
OSV
added 2020/07/09 2:15 p.m.39 views

CVE-2020-7692

PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized...

9.1CVSS6.8AI score
Exploits0References7
Debian CVE
Debian CVE
added 2020/07/09 1:20 p.m.39 views

CVE-2020-7692

PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized...

9.1CVSS8.3AI score0.01587EPSS
Exploits1
CNVD
CNVD
added 2020/04/23 12:0 a.m.3 views

JetBrains IntelliJ IDEA License Server Resolution Vulnerability

JetBrains IntelliJ IDEA is a Czech company JetBrains set of integrated development environment for the Java language . A security vulnerability exists in JetBrains IntelliJ IDEA versions prior to 2020.1. An attacker can exploit the vulnerability to resolve the authorization server to an untrusted...

9.8CVSS6.8AI score0.02245EPSS
Exploits0References1
NVD
NVD
added 2019/06/19 10:15 p.m.19 views

CVE-2017-14395

Auth 2.0 Authorization Server of ForgeRock Access Management OpenAM 13.5.0-13.5.1 and Access Management AM 5.0.0-5.1.1 does not correctly validate redirecturi for some invalid requests, which allows attackers to execute a script in the user's browser via reflected XSS...

6.1CVSS6.4AI score0.00793EPSS
Exploits0References1
NVD
NVD
added 2019/06/19 10:15 p.m.12 views

CVE-2017-14394

OAuth 2.0 Authorization Server of ForgeRock Access Management OpenAM 13.5.0-13.5.1 and Access Management AM 5.0.0-5.1.1 does not correctly validate redirecturi for some invalid requests, which allows attackers to perform phishing via an unvalidated redirect...

6.1CVSS6.3AI score0.00794EPSS
Exploits0References1
Rows per page
Query Builder