CVE-2017-18924

oauth2-server aka node-oauth2-server through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not...

Code Injection

Overview oauth2-server aka node-oauth2-server through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid...

@abramltd/jwt-oauth2-middleware (=0.1.0), @aerocorp/cli (=7.0.5) +172 more potentially affected by CVE-2017-18924 via oauth2-server (>=2.2.2 <=3.1.1)

oauth2-server NPM version =2.2.2, =1.0.0, =0.0.1, =2.1.0, =3.0.0, =0.4.1, =0.1.0, =3.0.0, =3.0.0, =3.5.8 and more Source cves: CVE-2017-18924 Source advisory: OSV:GHSA-2FW4-MGQ9-39CX...

CVE-2017-18924

oauth2-server aka node-oauth2-server through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I think the claim in the Readme of "RFC 6749 compliant" is valid and not...

CVE-2017-18924

CVE-2017-18924 concerns oauth2-server (node-oauth2-server) up to version 3.1.1, which implements OAuth 2.0 without PKCE. The description states it does not prevent authorization code injection, similar to CVE-2020-7692, and notes the vendor’s stance that RFC7636 is an extension and the RFC 6749 c...