9 matches found
GHSA-JP3F-X449-4Q75 Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow
Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermo...
GO-2026-4656 Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange in github.com/pocket-id/pocket-id/backend
Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange in github.com/pocket-id/pocket-id/backend...
CVE-2026-28513 Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...
CVE-2026-28513
Pocket ID is an OIDC provider. Before version 2.4.0, the token endpoint could accept an authorization code that is expired when the client ID is correct, enabling cross-client code reuse and expired-code reuse. The issue is fixed in 2.4.0. No exploitation path details are provided beyond that, an...
CVE-2026-28513 Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...
CVE-2026-28513
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...
CVE-2026-28513 Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.4.0, the OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse...
GHSA-QH6Q-598W-W6M2 Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange
Summary The OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse. Details backend/internal/service/oidcservice.go:407 go if authorizationCodeMetaData.ClientID != input.ClientI...
FedP3E: Privacy-Preserving Prototype Exchange for Non-IID IoT Malware Detection in Cross-Silo Federated Learning
As IoT ecosystems continue to expand across critical sectors, they have become prominent targets for increasingly sophisticated and large-scale malware attacks. The evolving threat landscape, combined with the sensitive nature of IoT-generated data, demands detection frameworks that are both...