16 matches found
EUVD-2023-3310
Malicious code in bioql PyPI...
EUVD-2023-3295
Malicious code in bioql PyPI...
CVE-2023-50714
yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth2 PKCE implementation is vulnerable in 2 ways. First, the authCodeVerifier should be removed after usage similar to authStat...
CVE-2023-50714
yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth2 PKCE implementation is vulnerable in 2 ways. First, the authCodeVerifier should be removed after usage similar to authStat...
CVE-2023-50708
yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 state and OpenID Connect nonce is vulnerable for a timing attack since it is compared via regular string comparison...
Buffer overflow
yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 state and OpenID Connect nonce is vulnerable for a timing attack since it is compared via regular string comparison...
Cross site request forgery (csrf)
yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth2 PKCE implementation is vulnerable in 2 ways. First, the authCodeVerifier should be removed after usage similar to authStat...
CVE-2023-50714 The Oauth2 PKCE implementation is vulnerable
yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth2 PKCE implementation is vulnerable in 2 ways. First, the authCodeVerifier should be removed after usage similar to authStat...
CVE-2023-50714 The Oauth2 PKCE implementation is vulnerable
yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth2 PKCE implementation is vulnerable in 2 ways. First, the authCodeVerifier should be removed after usage similar to authStat...
CVE-2023-50714
The vulnerability CVE-2023-50714 affects yii2-authclient (Yii framework 2.x) prior to version 2.2.15. The PKCE-protected OAuth2 implementation has two issues: (1) the authCodeVerifier should be removed after use (like authState), and (2) a downgrade attack risk if PKCE is relied upon for CSRF pro...
CVE-2023-50714 The Oauth2 PKCE implementation is vulnerable
yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth2 PKCE implementation is vulnerable in 2 ways. First, the authCodeVerifier should be removed after usage similar to authStat...
CVE-2023-50708
The CVE concerns yii2-authclient (Yii framework 2.0) where OAuth1/2 state and OpenID Connect nonce are compared with a regular string comparison, enabling a timing attack. Affected versions are prior to 2.2.15. The issue is mitigated by upgrading to 2.2.15, which patches the comparison mechanism....
CVE-2023-50708 yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation
yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 state and OpenID Connect nonce is vulnerable for a timing attack since it is compared via regular string comparison...
PKCE Downgrade Attack
yiisoft/yii2-authclient is vulnerable to PKCE Downgrade Attack. The vulnerability is caused due to an insecure implementation of PKCE. The application doesn't use authCodeVerifier securely. An attacker can gain unauthorized access to protected resources by exploiting this vulnerability...
Timing Attack
yiisoft/yii2-authclient is vulnerable to Timing attack. The vulnerable is caused due to an insecure string comparison method strcmp used to compare a nonce. An attacker can potentially perform a time based attack to guess the nonce string...
PT-2023-31620 · Unknown · Yii2-Authclient
Name of the Vulnerable Software and Affected Versions: yii2-authclient versions prior to 2.2.15 Description: The Oauth2 PKCE implementation in yii2-authclient is vulnerable in two ways. First, the authCodeVerifier should be removed after usage, similar to authState. Second, there is a risk for a...