14 matches found
CVE-2026-6334 OAuth authorization code client binding not enforced during token redemption in Mattermost
Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermo...
CVE-2026-6334
Mattermost versions 11.5.x <= 11.5.1 and 10.11.x
CVE-2026-6334 OAuth authorization code client binding not enforced during token redemption in Mattermost
Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermo...
PT-2026-41644
Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermo...
GO-2026-4689 Tinyauth's OIDC authorization codes are not bound to client on token exchange in github.com/steveiliop56/tinyauth
Tinyauth's OIDC authorization codes are not bound to client on token exchange in github.com/steveiliop56/tinyauth. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive report...
CVE-2026-32245
CVE-2026-32245 concerns Tinyauth, an authentication/authorization server. The issue, present before 5.0.3, is that the OIDC token endpoint does not verify that the client exchanging an authorization code is the same client to which the code was issued. A malicious OIDC client operator can exchang...
CVE-2026-32245 Tinyauth's OIDC authorization codes are not bound to client on token exchange
Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued to. A malicious OIDC client operator can exchange another client's authorization code using their...
CVE-2026-32245 Tinyauth's OIDC authorization codes are not bound to client on token exchange
Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued to. A malicious OIDC client operator can exchange another client's authorization code using their...
EUVD-2026-11679
Tinyauth's OIDC authorization codes are not bound to client on token exchange...
GHSA-XG2Q-62G2-CVCM Tinyauth's OIDC authorization codes are not bound to client on token exchange
Summary The OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued to. A malicious OIDC client operator can exchange another client's authorization code using their own client credentials, obtaining tokens for users who never...
Tinyauth's OIDC authorization codes are not bound to client on token exchange
Summary The OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued to. A malicious OIDC client operator can exchange another client's authorization code using their own client credentials, obtaining tokens for users who never...
CVE-2024-48416
Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 is vulnerable to Buffer Overflow via /goform/fromSetLanDhcpsClientbinding...
CVE-2024-48416
CVE-2024-48416 affects Edimax AC1200 Wi‑Fi 5 Dual‑Band Router BR‑6476AC (firmware 1.06). The vulnerability is a buffer overflow in the /goform/fromSetLanDhcpsClientbinding endpoint, caused by lack of input size validation. Exploitation can lead to a remote attacker executing arbitrary commands or...
SUSE CVE-2009-2087
The Web Services functionality in IBM WebSphere Application Server WAS 6.1 before 6.1.0.25 and 7.0 before 7.0.0.5, in certain circumstances involving the ibm-webservicesclient-bind.xmi file and custom password encryption, uses weak password obfuscation, which allows local users to cause a denial ...