27 matches found
CVE-2023-46480
An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via the authHost parameter of the indieauth function...
OwnCast Security Breach
Owncast is an open source, self-hosted, decentralized, single-user real-time video streaming and chat server. A security vulnerability exists in OwnCast version v.0.1.1, which originated from a vulnerability that allows remote attackers to obtain sensitive information or execute arbitrary code vi...
PT-2023-30044 · Owncast · Owncast
Name of the Vulnerable Software and Affected Versions: OwnCast version 0.1.1 Description: The issue allows a remote attacker to execute arbitrary code and obtain sensitive information via the authHost parameter of the indieauth function. Recommendations: For OwnCast version 0.1.1, consider...
CVE-2023-46480
An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via the authHost parameter of the indieauth function...
Authorization Bypass
datasetteindieauth is vulnerable to authorization bypass. The vulnerability exists because it does not check that the final me URL value returned by the authorization server belongs to the same domain as the initial value entered by the user, allowing an attacker to sign in using any IndieAuth...
GHSA-MJCR-RQJG-RHG3 Implementation trusts the "me" field returned by the authorization server without verifying it
Impact A malicious user can sign in as a user with any IndieAuth identifier. This is because the implementation does not verify that the final "me" URL value returned by the authorization server belongs to the same domain as the initial value entered by the user. Patches Version 1.1 fixes this...
Implementation trusts the "me" field returned by the authorization server without verifying it
Impact A malicious user can sign in as a user with any IndieAuth identifier. This is because the implementation does not verify that the final "me" URL value returned by the authorization server belongs to the same domain as the initial value entered by the user. Patches Version 1.1 fixes this...