Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint

Summary The OIDC authorization endpoint allows users with a TOTP-pending session password verified, TOTP not yet completed to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. Details...

EUVD-2020-19412

Malware in sbrugna...

CVE-2019-11269

CVE-2019-11269 affects Spring Security OAuth; an open-redirect at the authorization endpoint (redirect_uri) can leak the authorization code. Affected versions: 2.3 before 2.3.6, 2.2 before 2.2.5, 2.1 before 2.1.5, 2.0 before 2.0.18, and older unsupported versions. Attack requires a crafted reques...

CVE-2019-3778

Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to th...