149 matches found
Moderate: Red Hat Security Advisory: OpenShift Container Platform 3.11 security update
Red Hat OpenShift Container Platform release 3.11.188 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, whi...
CVE-2016-8609
CVE-2016-8609 affects Keycloak before 2.3.0, where the authentication flow is not implemented correctly. An attacker could craft a phishing URL to hijack a user session, leading to information disclosure and potential further attacks. Public advisories in the connected set reiterate the issue and...
Rockstar Games: SocialClub's Facebook OAuth Theft through Warehouse XSS.
In this report, the researcher was able to chain together 3 separate, minor bugs to create an exploit that was greater than the sum of its parts. This exploit could have potentially allowed attackers to steal OAuth tokens from users. The exploit chain involved taking advantage of our SSO between...
UBUNTU-CVE-2018-5113
The "browser.identity.launchWebAuthFlow" function of WebExtensions is only allowed to load content over "https:" but this requirement was not properly enforced. This can potentially allow privileged pages to be loaded by the extension. This vulnerability affects Firefox 58...
Inflection: Session ID is accessible via XSS
Researcher found a vulnerability in the authentication flow that, when chained with an XSS vulnerability could lead to session take over...
How to Configure NetScaler as IDP for SAML Based Integration with 15Five
This article describes how to configure NetScaler as an Identity Service Provider IDP for 15Five SaaS applications, using SAML Security Assertion Markup Language protocol. Introduction 15Five is a company that provides performance management platform that combines employee feedback, objectives...
CVE-2016-8609
It was found that the keycloak did not implement authentication flow correctly. An attacker could use this flaw to construct a phishing URL, from which he could hijack the user's session. This could lead to information disclosure, or permit further possible attacks...
Factlink: Login CSRF using Twitter oauth
this bug allows a user to be logged in as the attacker. The main reason is that no state is maintained in the authentication flow. Although the Twitter flow still uses OAuth 1.0A, which has no state parameter as in OAuth 2, it is still possible to prevent this type of attack by setting an...
Phabricator: Login CSRF using Twitter OAuth
This bug is related to bug report 774 Log in a user to another account by @dawidczagan as this bug also allows a user to be logged in as the attacker. The main reason is that no state is maintained in the authentication flow. Although the Twitter flow still uses OAuth 1.0A, which has no state...