103 matches found
CVE-2024-38371 Insufficient access control for OAuth2 Device Code flow in authentik
authentik is an open-source Identity Provider. Access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application and access it. This issue has been...
authentik Security Vulnerabilities
authentik is an open source identity provisioning application from authentik open source. A security vulnerability exists in authentik that stems from a failure to check access restrictions assigned to the application when using the OAuth2 device code flow...
GitLab 12.3 < 12.9.8 / 12.10 < 12.10.7 / 13.0 < 13.0.1 (CVE-2020-13272)
The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow CVE-2020-13272 Note that Nessus has not tested for this issue but...
quarkus-oidc: ID and access tokens leak via the authorization code flow
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provide...
Insecure Session Cookie Handling
quarkus-oidc is vulnerable to Insecure OIDC Session Cookie Handling. The vulnerability exists because the library does not properly encrypt the OIDC session cookie value by default which leads to the leakage of both ID and access tokens in the authorization code flow when an insecure HTTP protoco...
GHSA-6HC9-CF8X-HF83 Quarkus OIDC can leak both ID and access tokens
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provide...
Quarkus OIDC can leak both ID and access tokens
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provide...
CVE-2023-1584
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provide...
CVE-2023-1584
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provide...
Authorization
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provide...
CVE-2023-32312
UmbracoIdentityExtensions is an Umbraco add-on package that enables easy extensibility points for ASP.Net Identity integration. In affected versions client secrets are not required which may expose some endpoints to untrusted actors. Since Umbraco is not a single-page application, the implicit fl...
CVE-2023-32312 Client secret not mandatory in UmbracoIdentityExtensions
UmbracoIdentityExtensions is an Umbraco add-on package that enables easy extensibility points for ASP.Net Identity integration. In affected versions client secrets are not required which may expose some endpoints to untrusted actors. Since Umbraco is not a single-page application, the implicit fl...
CVE-2023-32312 Client secret not mandatory in UmbracoIdentityExtensions
UmbracoIdentityExtensions is an Umbraco add-on package that enables easy extensibility points for ASP.Net Identity integration. In affected versions client secrets are not required which may expose some endpoints to untrusted actors. Since Umbraco is not a single-page application, the implicit fl...
CVE-2023-32312 Client secret not mandatory in UmbracoIdentityExtensions
UmbracoIdentityExtensions is an Umbraco add-on package that enables easy extensibility points for ASP.Net Identity integration. In affected versions client secrets are not required which may expose some endpoints to untrusted actors. Since Umbraco is not a single-page application, the implicit fl...
CVE-2023-32312
The CVE-2023-32312 entry concerns UmbracoIdentityExtensions, an Umbraco add-on for ASP.NET Identity integration. Affected versions expose endpoints to untrusted actors because client secrets are not required, enabling unsafe use of the implicit flow in non-SPA/multi-page scenarios. The root cause...
PT-2023-23722 · Umbraco · Umbracoidentityextensions
Name of the Vulnerable Software and Affected Versions: UmbracoIdentityExtensions versions affected versions not specified Description: The issue concerns the UmbracoIdentityExtensions package, which is an Umbraco add-on for ASP.Net Identity integration. In affected versions, client secrets are no...
CVE-2023-1584
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provide...
Exploit for Improper Authentication in Redhat Keycloak
PoC for CVE-2023-0264 Keycloak vulnerability that allows ses...
SUSE CVE-2017-15774
XnView Classic for Windows Version 2.43 allows attackers to execute arbitrary code or cause a denial of service via a crafted .dwg file, related to "Data from Faulting Address controls Code Flow starting at CADImage+0x0000000000221a9a."...
CVE-2022-3084 GE CIMPLICITY Access of Uninitialized Pointer
GE CIMPICITY versions 2022 and prior is vulnerable when data from a faulting address controls code flow starting at gmmiObj!CGmmiRootOptionTable, which could allow an attacker to execute arbitrary code...