26 matches found
CVE-2017-18924
oauth2-server aka node-oauth2-server through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not...
CVE-2017-18924
oauth2-server aka node-oauth2-server through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not...
Authorization
DISPUTED oauth2-server aka node-oauth2-server through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid...
CVE-2017-18924
oauth2-server aka node-oauth2-server through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not...
CVE-2017-18924
CVE-2017-18924 concerns oauth2-server (node-oauth2-server) up to version 3.1.1, which implements OAuth 2.0 without PKCE. The description states it does not prevent authorization code injection, similar to CVE-2020-7692, and notes the vendor’s stance that RFC7636 is an extension and the RFC 6749 c...
PT-2020-8469 · Unknown · Oauth2-Server
Name of the Vulnerable Software and Affected Versions: oauth2-server aka node-oauth2-server versions 3.1.1 and earlier Description: The issue is related to the implementation of OAuth 2.0 without PKCE, which does not prevent authorization code injection. This is similar to a previously known issu...