75 matches found
Unintended Proxy or Intermediary ('Confused Deputy')
Overview fastmcp is a The fast, Pythonic way to build MCP servers and clients. Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' during the authentication with OAuth providers that don't support Dynamic Client Registration DCR. An attacker can...
CVE-2025-9152
An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration DCR endpoint. A malicious user can exploit this flaw to generate access tokens with elevated privileges,...
EUVD-2025-34755
An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration DCR endpoint. A malicious user can exploit this flaw to generate access tokens with elevated privileges,...
CVE-2025-9152
An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration DCR endpoint. A malicious user can exploit this flaw to generate access tokens with elevated privileges,...
CVE-2025-9152
An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration DCR endpoint. A malicious user can exploit this flaw to generate access tokens with elevated privileges,...
CVE-2025-9152
CVE-2025-9152 affects WSO2 API Manager (and API Control Plane) via the keymanager-operations Dynamic Client Registration endpoint. The root cause is missing authentication and authorization checks, causing improper privilege management. An attacker could generate access tokens with elevated privi...
CVE-2025-9152 Improper Privilege Management in Multiple WSO2 API Manager via keymanager-operations DCR Endpoint
An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration DCR endpoint. A malicious user can exploit this flaw to generate access tokens with elevated privileges,...
CVE-2025-9152 Improper Privilege Management in Multiple WSO2 API Manager via keymanager-operations DCR Endpoint
An improper privilege management vulnerability exists in WSO2 API Manager due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration DCR endpoint. A malicious user can exploit this flaw to generate access tokens with elevated privileges,...
PT-2025-42462
Name of the Vulnerable Software and Affected Versions WSO2 API Manager affected versions not specified Description A flaw exists due to missing authentication and authorization checks in the keymanager-operations Dynamic Client Registration DCR endpoint. This can allow a malicious user to generat...
WSO2 API Manager和WSO2 API Control Plane 安全漏洞
WSO2 API Manager and WSO2 API Control Plane are products of WSO2, Inc. WSO2 API Manager is an API lifecycle management solution and WSO2 API Control Plane is a control panel. A security vulnerability exists in WSO2 API Manager and WSO2 API Control Plane that stems from a lack of authentication an...
EUVD-2021-0993
Malware in sbrugna...
EUVD-2024-1087
Malicious code in bioql PyPI...
OAuth Dynamic Client Registration Detected
This is an informational plugin to inform the user that the scanner has detected a publicly accessible OAuth Dynamic Client Registration endpoint on the target application. OAuth Dynamic Client Registration allows clients to register dynamically with an authorization server and is very common in...
OAuth Dynamic Client Registration Permissive Metadata Field
OAuth Dynamic Client Registration allows for various metadata fields such as 'clientname', 'websiteuri' during the registration process. When the OAuth server accepts permissive values for such fields, such as ones starting with javascript://, an attacker could exploit this to perform Cross-Site...
CVE-2021-26715
The OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Server Side Request Forgery SSRF vulnerability. The vulnerability arises due to unsafe usage of the logouri parameter in the Dynamic Client Registration request. An unauthenticated attacker can make a HTTP reque...
CVE-2023-6544 Keycloak: authorization bypass
A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this specific Dynamic...
CVE-2023-6544 Keycloak: authorization bypass
A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this specific Dynamic...
CVE-2023-6544
CVE-2023-6544 affects Keycloak via a permissive regular expression used for filtering that governs Dynamic Client Registration and TrustedDomain. The root cause is a hardcoded regex that allows hosts to register a dynamic client, enabling a malicious user with environment knowledge to compromise ...
Authorization Bypass
keycloak is vulnerable to Authorization Bypass. The vulnerability is due to a hardcoded permissive regular expression which is used to filtering allowed hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with specific...
GHSA-46C8-635V-68R2 Keycloak Authorization Bypass vulnerability
Due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client, a malicious user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with TrustedDomain configuration...