79 matches found
CVE-2023-48309
Concrete details: The CVE-2023-48309 flaw affects next-auth (Next.js) apps before v4.24.5 that rely on the default Middleware authorization. An attacker can obtain a NextAuth.js JWT from an interrupted OAuth sign-in flow and override the next-auth.session-token cookie with this unrelated JWT to s...
CVE-2023-48309 next-auth vulnerable to possible user mocking that bypasses basic authentication
NextAuth.js provides authentication for Next.js. next-auth applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth...
CVE-2023-27490
NextAuth.js is an open source authentication solution for Next.js applications. next-auth applications using OAuth provider versions before v4.20.1 have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or who is able to social...
Authorization
NextAuth.js is an open source authentication solution for Next.js applications. next-auth applications using OAuth provider versions before v4.20.1 have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or who is able to social...
CVE-2023-27490 Missing proper state, nonce and PKCE checks for OAuth authentication in next-auth
NextAuth.js is an open source authentication solution for Next.js applications. next-auth applications using OAuth provider versions before v4.20.1 have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or who is able to social...
CVE-2023-27490 Missing proper state, nonce and PKCE checks for OAuth authentication in next-auth
NextAuth.js is an open source authentication solution for Next.js applications. next-auth applications using OAuth provider versions before v4.20.1 have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or who is able to social...
CVE-2023-27490
NextAuth.js (for Next.js) versions before 4.20.1 are affected. A partial OAuth session failure lets a network observer or social engineer modify the authorization URL to bypass CSRF checks, potentially logging in as the victim. The issue arises from missing/compromised state, PKCE, and nonce hand...
CVE-2023-27490 Missing proper state, nonce and PKCE checks for OAuth authentication in next-auth
NextAuth.js is an open source authentication solution for Next.js applications. next-auth applications using OAuth provider versions before v4.20.1 have been found to be subject to an authentication vulnerability. A bad actor who can read traffic on the victim's network or who is able to social...
NextAuth.js 授权问题漏洞
NextAuth.js is an authentication for Next.js. NextAuth.js is vulnerable to authorization issues. An attacker can exploit this vulnerability to elevate privileges...
PT-2023-21166 · Npm · Nextauth.Js
Name of the Vulnerable Software and Affected Versions: NextAuth.js versions prior to v4.20.1 Description: The issue allows a bad actor to intercept and tamper with the authorization URL, enabling them to log in as the victim and bypass CSRF protection. This occurs due to a partial failure during ...
NextAuth.js authorization issue vulnerability
NextAuth.js is an authentication for Next.js. NextAuth.js version v3.0.2 is vulnerable to authorization issues, which can be exploited by attackers to perform unauthorized actions...
CVE-2022-39263
@next-auth/upstash-redis-adapter is the Upstash Redis adapter for NextAuth.js, which provides authentication for Next.js. Applications that use next-auth Email Provider and @next-auth/upstash-redis-adapter before v3.0.2 are affected by this vulnerability. The Upstash Redis adapter implementation...
Design/Logic Flaw
@next-auth/upstash-redis-adapter is the Upstash Redis adapter for NextAuth.js, which provides authentication for Next.js. Applications that use next-auth Email Provider and @next-auth/upstash-redis-adapter before v3.0.2 are affected by this vulnerability. The Upstash Redis adapter implementation...
CVE-2022-39263 NextAuth.js Upstash Adapter missing token verification
@next-auth/upstash-redis-adapter is the Upstash Redis adapter for NextAuth.js, which provides authentication for Next.js. Applications that use next-auth Email Provider and @next-auth/upstash-redis-adapter before v3.0.2 are affected by this vulnerability. The Upstash Redis adapter implementation...
CVE-2022-39263 NextAuth.js Upstash Adapter missing token verification
@next-auth/upstash-redis-adapter is the Upstash Redis adapter for NextAuth.js, which provides authentication for Next.js. Applications that use next-auth Email Provider and @next-auth/upstash-redis-adapter before v3.0.2 are affected by this vulnerability. The Upstash Redis adapter implementation...
CVE-2022-39263
CVE-2022-39263 affects the Upstash Redis adapter for NextAuth.js when used with the Email Provider prior to v3.0.2. The adapter verifified only the identifier (email) and not the combined identifier + token in the email callback flow, enabling an attacker who knows the victim’s email (and token ex...
CVE-2022-39263 NextAuth.js Upstash Adapter missing token verification
@next-auth/upstash-redis-adapter is the Upstash Redis adapter for NextAuth.js, which provides authentication for Next.js. Applications that use next-auth Email Provider and @next-auth/upstash-redis-adapter before v3.0.2 are affected by this vulnerability. The Upstash Redis adapter implementation...
NextAuth.js 授权问题漏洞
NextAuth.js is an authentication for Next.js. NextAuth.js version v3.0.2 is vulnerable to authorization issues, which can be exploited by attackers to perform unauthorized actions...
CVE-2022-35924
NextAuth.js is a complete open source authentication solution for Next.js applications. next-auth users who are using the EmailProvider either in versions before 4.10.3 or 3.29.10 are affected. If an attacker could forge a request that sent a comma-separated list of emails eg.:...
Authorization
NextAuth.js is a complete open source authentication solution for Next.js applications. next-auth users who are using the EmailProvider either in versions before 4.10.3 or 3.29.10 are affected. If an attacker could forge a request that sent a comma-separated list of emails eg.:...