38 matches found
Quarkus OIDC can leak both ID and access tokens
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provide...
CVE-2023-1584
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provide...
CVE-2023-1584
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provide...
Authorization
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provide...
CVE-2023-32312
UmbracoIdentityExtensions is an Umbraco add-on package that enables easy extensibility points for ASP.Net Identity integration. In affected versions client secrets are not required which may expose some endpoints to untrusted actors. Since Umbraco is not a single-page application, the implicit fl...
CVE-2023-32312 Client secret not mandatory in UmbracoIdentityExtensions
UmbracoIdentityExtensions is an Umbraco add-on package that enables easy extensibility points for ASP.Net Identity integration. In affected versions client secrets are not required which may expose some endpoints to untrusted actors. Since Umbraco is not a single-page application, the implicit fl...
CVE-2023-32312 Client secret not mandatory in UmbracoIdentityExtensions
UmbracoIdentityExtensions is an Umbraco add-on package that enables easy extensibility points for ASP.Net Identity integration. In affected versions client secrets are not required which may expose some endpoints to untrusted actors. Since Umbraco is not a single-page application, the implicit fl...
CVE-2023-32312 Client secret not mandatory in UmbracoIdentityExtensions
UmbracoIdentityExtensions is an Umbraco add-on package that enables easy extensibility points for ASP.Net Identity integration. In affected versions client secrets are not required which may expose some endpoints to untrusted actors. Since Umbraco is not a single-page application, the implicit fl...
CVE-2023-32312
The CVE-2023-32312 entry concerns UmbracoIdentityExtensions, an Umbraco add-on for ASP.NET Identity integration. Affected versions expose endpoints to untrusted actors because client secrets are not required, enabling unsafe use of the implicit flow in non-SPA/multi-page scenarios. The root cause...
PT-2023-23722 · Umbraco · Umbracoidentityextensions
Name of the Vulnerable Software and Affected Versions: UmbracoIdentityExtensions versions affected versions not specified Description: The issue concerns the UmbracoIdentityExtensions package, which is an Umbraco add-on for ASP.Net Identity integration. In affected versions, client secrets are no...
CVE-2023-1584
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provide...
Exploit for Improper Authentication in Redhat Keycloak
PoC for CVE-2023-0264 Keycloak vulnerability that allows ses...
Virtuozzo Hybrid Infrastructure 5.2 Update 1 (5.2.1-57)
This update provides full support for Authorization Code Flow, as well as bug fixes and improvements. Vulnerability id: VSTOR-57337 It is impossible to set the disk role to "Unassigned" while joining a node to the cluster. Vulnerability id: VSTOR-57187 Unable to add an iSCSI target with multiple...
Shopify: Shop App - Attacker is able to intercept authorization code during authentication (OAuth) and is able to get access to Microsoft Outlook email account
A vulnerability was discovered in the Shop App's Microsoft Outlook OAuth flow, where a malicious app could intercept the authorization code during authentication due to the use of deep links. This could allow an attacker to gain access to the victim's emails. The issue was mitigated by implementi...
GHSA-58R4-H6V8-JCVM Regression in JWT Signature Validation
Overview Versions after and including 2.3.0 are improperly validating the JWT token signature when using the JWTValidator.verify method. Improper validation of the JWT token signature when not using the default Authorization Code Flow can allow an attacker to bypass authentication and...
CVE-2020-13272
OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow...
CVE-2020-13272
GitLab CVE-2020-13272 affects GitLab CE/EE versions 12.3 through 13.0.1, where the OAuth authorization code flow lacks verification checks. The root cause is missing verification in the OAuth flow, allowing an unverified user to complete the authorization code flow. Public details in connected do...
PT-2020-13413 · Oauth +1 · Oauth +1
Name of the Vulnerable Software and Affected Versions: OAuth versions 12.3 through 13.0.1 Description: The issue concerns the OAuth flow missing verification checks, allowing an unverified user to use the OAuth authorization code flow. Recommendations: For versions 12.3 through 13.0.1, update to ...