GHSA-MR6F-H57V-RPJ5 Improper Validation of Query Parameters in Auth0 Next.js SDK

Description An input-validation flaw in the returnTo parameter in the Auth0 Next.js SDK could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters Am I Affected? You a...

CVE-2021-31551

An issue was discovered in the PageForms extension for MediaWiki through 1.35.2. Crafted payloads for Token-related query parameters allowed for XSS on certain PageForms-managed MediaWiki pages...

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview Duende.AccessTokenManagement is a library that manages OAuth access tokens in .NET workers and ASP.NET Core worker services Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition when handling concurrent ClientCredentialsToken requests. The...

CVE-2025-26620 Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens

Duende.AccessTokenManagement is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protoco...

PT-2025-7217 · Duende · Duende.Accesstokenmanagement

Name of the Vulnerable Software and Affected Versions: Duende.AccessTokenManagement affected versions not specified Description: Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token...

Authentication Bypass

SilverStripe is vulnerable to Authentication Bypass. The vulnerability is caused by providing an empty token parameter with secure token parameters like isDev or flush, allowing bypass of normal authentication mechanisms...

WebITR Trust Management Issues Vulnerabilities

WebITR is an online time and attendance system. WebITR version 21023 suffers from a trust management issue vulnerability that stems from the use of hard-coded encryption keys, which can be exploited by a remote attacker to generate valid token parameters, access the system with an arbitrary user...

pki-core: unsanitized token parameters in TPS resulting in stored XSS

It was found that the Token Processing Service TPS did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting XSS vulnerability. An attacker able to modify the parameters of any token could use this flaw to trick an authenticated user...

DEBIAN-CVE-2019-10180

A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service TPS did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting XSS vulnerability. An attacker able to modify the parameters of any token could...