Tinyauth 竞争条件问题漏洞

Tinyauth is an authentication and authorization server developed by Stavros personally. Versions of Tinyauth prior to 5.0.5 had a race condition vulnerability; this issue stemmed from race conditions in the OAuth service, which could lead to session hijacking...

Race Condition

Overview Affected versions of this package are vulnerable to Race Condition in the GenericOAuthService, GithubOAuthService, GoogleOAuthService Auth services. An attacker can gain unauthorized access to another user's session and associated resources by timing concurrent OAuth login requests to...

Race Condition

Overview Affected versions of this package are vulnerable to Race Condition in the GenericOAuthService, GithubOAuthService, GoogleOAuthService Auth services. An attacker can gain unauthorized access to another user's session and associated resources by timing concurrent OAuth login requests to...

PT-2026-29659

Summary All three OAuth service implementations GenericOAuthService, GithubOAuthService, GoogleOAuthService store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider...

CVE-2026-27193

Feathersjs versions ≤ 5.0.39 store all HTTP request headers in the signed but unencrypted session cookie. The complete headers object (including internal proxy/gateway headers, API keys, tokens, and internal IPs) is base64-encoded in the cookie and readable by clients, exposing sensitive infrastr...

CVE-2026-27193 Feathers exposes internal headers via unencrypted session cookie

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth servi...

GO-2025-4075 Mattermost Server's OAuth 2.0 service is vulnerable to attack through Missing Authorization in github.com/mattermost/mattermost-server

Mattermost Server's OAuth 2.0 service is vulnerable to attack through Missing Authorization in github.com/mattermost/mattermost-server...

Security Bulletin: Security vulnerability has been identified in WebSphere Application Server shipped with IBM Cloud Orchestrator (CVE-2015-7417)

Summary Cross site scripting vulnerability has been identified in WebSphere Application Server OAuth Service Provider that is shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise Edition. This issue was also addressed by IBM Business Process Manager and IBM Tivoli System Automati...

Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server for Cloud (CVE-2017-1194)

Summary There is a potential cross-site request forgery in WebSphere Application Server OAuth service provider. Vulnerability Details Consult the security bulletin: Security Bulletin: Cross-site request forgery in WebSphere Application Server CVE-2017-1194 for vulnerability details and informatio...

Security Bulletin: Cross-site request forgery in Liberty for Java for IBM Bluemix (CVE-2017-1194)

Summary There is a potential cross-site request forgery in WebSphere Application Server OAuth service provider. Vulnerability Details CVEID: CVE-2017-1194 DESCRIPTION: IBM WebSphere Application Server is vulnerable to cross-site request forgery which could allow an attacker to execute malicious a...

How To Deploy NetScaler as Both OAuth SP and IdP

Deploying the NetScaler, as both an OAuth Service Provider SP and IdP Identity Provider or OpenID Authenticator. This can be on the same NetScaler, or on two separate appliances...

IBM WebSphere Application Server 7.0 < 7.0.0.45 / 8.0 < 8.0.0.14 / 8.5 < 8.5.5.12 / 9.0 < 9.0.0.4 / Liberty 17.0 < 17.0.0.2 OAuth Service Provider XSRF

The version of IBM WebSphere Application Server running on the remote host is 7.0 prior to 7.0.0.45, 8.0 prior to 8.0.0.14, 8.5 prior to 8.5.5.12, 9.0 prior to 9.0.0.4, or Liberty 17.0 prior to 17.0.0.2. It is, therefore, affected by a cross-site request forgery XSRF vulnerability in the OAuth...