CVE-2025-6238

The AI Engine plugin for WordPress is vulnerable to open redirect in version 2.8.4. This is due to an insecure OAuth implementation, as the 'redirecturi' parameter is missing validation during the authorization flow. This makes it possible for unauthenticated attackers to intercept the...

CVE-2025-6238

The AI Engine plugin for WordPress is vulnerable to open redirect in version 2.8.4. This is due to an insecure OAuth implementation, as the 'redirecturi' parameter is missing validation during the authorization flow. This makes it possible for unauthenticated attackers to intercept the...

CVE-2025-53099

Sentry is a developer-first error tracking and performance monitoring tool. Prior to version 25.5.0, an attacker with a malicious OAuth application registered with Sentry can take advantage of a race condition and improper handling of authorization code within Sentry to maintain persistence to a...

CVE-2025-53099

Sentry is a developer-first error tracking and performance monitoring tool. Prior to version 25.5.0, an attacker with a malicious OAuth application registered with Sentry can take advantage of a race condition and improper handling of authorization code within Sentry to maintain persistence to a...

CVE-2025-53099 Sentry Missing Invalidation of Authorization Codes During OAuth Exchange and Revocation

Sentry is a developer-first error tracking and performance monitoring tool. Prior to version 25.5.0, an attacker with a malicious OAuth application registered with Sentry can take advantage of a race condition and improper handling of authorization code within Sentry to maintain persistence to a...

CVE-2025-53099

CVE-2025-53099 affects Sentry prior to 25.5.0. A race condition in handling of OAuth authorization codes could allow a malicious OAuth app to maintain persistence on a user’s account via timed requests/redirect flows and multiple authorization codes. The issue is mitigated by upgrading self-hoste...

Sentry 安全漏洞

Sentry is a developer-oriented bug tracking and performance monitoring platform from Sentry Open Source. A security vulnerability exists in versions of Sentry prior to 25.5.0 that stems from mishandling of competitive conditions and authorization code that may be used as a way to keep user accoun...

CVE-2024-22258

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

CVE-2023-2193

Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token...

CVE-2023-32312

UmbracoIdentityExtensions is an Umbraco add-on package that enables easy extensibility points for ASP.Net Identity integration. In affected versions client secrets are not required which may expose some endpoints to untrusted actors. Since Umbraco is not a single-page application, the implicit fl...

CVE-2016-3098

Cross-site request forgery CSRF vulnerability in administrate 0.1.4 and earlier allows remote attackers to hijack the user's OAuth autorization code...

CVE-2025-43916

Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirecturi containing userinfo in the authority component, which is not consistent with RFC 6819 section 5.2.3.5. An authorization code may be sent to an attacker-controlled destination. This might have...

CVE-2025-43916

Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirecturi containing userinfo in the authority component, which is not consistent with RFC 6819 section 5.2.3.5. An authorization code may be sent to an attacker-controlled destination. This might have...

CVE-2025-43916

Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirecturi containing userinfo in the authority component, which is not consistent with RFC 6819 section 5.2.3.5. An authorization code may be sent to an attacker-controlled destination. This might have...

PT-2025-17434 · Sonos · Sonos

Name of the Vulnerable Software and Affected Versions: Sonos versions through 2025-04-21 Description: The issue concerns the /login/v3/oauth endpoint, which accepts a redirect uri containing userinfo in the authority component. This is inconsistent with RFC 6819 section 5.2.3.5, potentially...

CVE-2025-43916

CVE-2025-43916 affects Sonos api.sonos.com (endpoint /login/v3/oauth). The flaw allows a redirect_uri containing userinfo in the authority component, violating RFC 6819 5.2.3.5 and potentially causing an authorization code to be sent to an attacker-controlled destination. Public-fix details are n...

elytron-oidc-client: OIDC Authorization Code Injection

A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with t...

elytron-oidc-client: OIDC Authorization Code Injection

A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with t...

Moderate: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 8.0.7 security update

A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...

WildFly Elytron OpenID Connect Client ExtensionOIDC authorization code injection attack

Impact A vulnerability was found in OIDC-Client. When using the elytron-oidc-client subsystem with WildFly, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is...