User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via the X-Forwarded-Uri header when the --reverse-proxy setting is enabled and either --skip-auth-regex or --skip-auth-route is configured. An attacker can gain unauthorized access to protected routes by spoofing the...

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via the X-Forwarded-Uri header when the --reverse-proxy setting is enabled and either --skip-auth-regex or --skip-auth-route is configured. An attacker can gain unauthorized access to protected routes by spoofing the...

CVE-2026-41059

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 have a configuration-dependent authentication bypass. Deployments are affected when all of the following are true: Use of skipauthroutes or the legacy skipauthregex; use of patterns...

PT-2026-34215

Name of the Vulnerable Software and Affected Versions OAuth2 Proxy versions 7.5.0 through 7.15.1 Description A configuration-dependent authentication bypass exists when the software is deployed using skip auth routes or the legacy skip auth regex with patterns that can be widened by...

GHSA-7X63-XV5R-3P2X OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing

Impact A configuration-dependent authentication bypass exists in OAuth2 Proxy. Deployments are affected when all of the following are true: OAuth2 Proxy is configured with --reverse-proxy and at least one rule is defined with --skipauthroutes or the legacy --skip-auth-regex OAuth2 Proxy may trust...

Fedora 39 : lemonldap-ng (2024-d0a6c4ac13)

The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-d0a6c4ac13 advisory. Update to lemonldap-ng 2.20.1: - Security Adaptative Authentication Rules triggered by Refresh my rights - Security XSS in upgradeSession / forceUpgrade page...

Fedora 40 : lemonldap-ng (2024-e457192aa2)

The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-e457192aa2 advisory. Update to lemonldap-ng 2.20.1: - Security Adaptative Authentication Rules triggered by Refresh my rights - Security XSS in upgradeSession / forceUpgrade page...

DEBIAN-CVE-2024-52946

An issue was discovered in LemonLDAP::NG before 2.20.1. An Improper Check during session refresh allows an authenticated user to raise their authentication level if the admin configured an "Adaptative authentication rule" with an increment instead of an absolute value...

Hyperledger Indy's update process of a DID does not check who signs the request

Name Updating a DID with a nym transaction will be written to the ledger if neither ROLE or VERKEY are being changed, regardless of sender. Description A malicious DID with no particular role can ask an update for another DID but cannot modify its verkey or role. This is bad because: 1. Any DID c...

PYSEC-2023-219

Wagtail is an open source content management system built on Django. A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any change...

CVE-2023-45809 Disclosure of user names via admin bulk action views in wagtail

Wagtail is an open source content management system built on Django. A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any change...

Wagtail vulnerable to disclosure of user names via admin bulk action views

Impact A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user...

Apache Httpd < 2.4.12 : mod_lua multiple "Require" directive handling is broken

Fix handling of the Require line in modlua when a LuaAuthzProvider is used in multiple Require directives with different arguments. This could lead to different authentication rules than expected...