CVE-2026-4349

A vulnerability was determined in Duende IdentityServer4 up to 4.1.2. The affected element is an unknown function of the file /connect/authorize of the component Token Renewal Endpoint. This manipulation of the argument idtokenhint causes improper authentication. It is possible to initiate the...

CVE-2021-28290

A cross-site scripting XSS vulnerability in Skoruba IdentityServer4.Admin before 2.0.0 via unencoded value passed to the data-secret-value parameter...

CVE-2019-12250

IdentityServer IdentityServer4 through 2.4 has stored XSS via the httpContext to the host/Extensions/RequestLoggerMiddleware.cs LogForErrorContext method, which can be triggered by viewing a log. NOTE: the software maintainer disputes that this is a vulnerability because the request logger is not...

EUVD-2021-14979

Malware in sbrugna...

URL Redirection to Untrusted Site ('Open Redirect')

Overview IdentityServer4 is an OpenID Connect and OAuth 2.0 Framework for ASP.NET Core Affected versions of this package are vulnerable to URL Redirection to Untrusted Site 'Open Redirect' through the commonly used GetAuthorizationContextAsync and IsValidReturnUrl methods which return non-null...

CVE-2021-28290

A cross-site scripting XSS vulnerability in Skoruba IdentityServer4.Admin before 2.0.0 via unencoded value passed to the data-secret-value parameter...

CVE-2021-28290

A cross-site scripting XSS vulnerability in Skoruba IdentityServer4.Admin before 2.0.0 via unencoded value passed to the data-secret-value parameter...

Cross site scripting

A cross-site scripting XSS vulnerability in Skoruba IdentityServer4.Admin before 2.0.0 via unencoded value passed to the data-secret-value parameter...

CVE-2021-28290

The CVE-2021-28290 entry applies to Skoruba IdentityServer4.Admin prior to 2.0.0, where an XSS flaw occurs because an unencoded value is passed to the data-secret-value parameter. The vulnerability affects that admin interface and can enable cross-site scripting via the affected input path. The N...

CVE-2021-28290

A cross-site scripting XSS vulnerability in Skoruba IdentityServer4.Admin before 2.0.0 via unencoded value passed to the data-secret-value parameter...

IdentityServer4.Admin 跨站脚本漏洞

IdentityServer4.Admin is an administration for IdentityServer4 and Asp.Net Core Identity by Jan Škoruba, a Czech individual developer. A security vulnerability exists in IdentityServer4.Admin versions prior to 2.0.0, which can be exploited by an attacker to conduct cross-site scripting XSS attack...

IdentityServer IdentityServer4 Cross-Site Scripting Vulnerability

IdentityServer IdentityServer4 is an open source for ASP.NET Core OAuth open authorization framework. A cross-site scripting vulnerability exists in IdentityServer IdentityServer4 2.4 and earlier versions. The vulnerability stems from the lack of proper validation of client-side data in WEB...

Cross-Site Scripting (XSS)

IdentityServer4 is vulnerable to cross-site scripting XSS attacks. The vulnerability exists due to the lack of validations on httpContext parameter in the LogForErrorContext function in host/Extensions/RequestLoggerMiddleware.cs file, allowing remote attackers to inject and execute arbitrary...

CVE-2019-12250

IdentityServer IdentityServer4 through 2.4 has stored XSS via the httpContext to the host/Extensions/RequestLoggerMiddleware.cs LogForErrorContext method, which can be triggered by viewing a log. NOTE: the software maintainer disputes that this is a vulnerability because the request logger is not...

Cross site scripting

DISPUTED IdentityServer IdentityServer4 through 2.4 has stored XSS via the httpContext to the host/Extensions/RequestLoggerMiddleware.cs LogForErrorContext method, which can be triggered by viewing a log. NOTE: the software maintainer disputes that this is a vulnerability because the request logg...

CVE-2019-12250

IdentityServer IdentityServer4 through 2.4 has stored XSS via the httpContext to the host/Extensions/RequestLoggerMiddleware.cs LogForErrorContext method, which can be triggered by viewing a log. NOTE: the software maintainer disputes that this is a vulnerability because the request logger is not...

CVE-2019-12250

CVE-2019-12250 affects IdentityServer4 up to version 2.4. The issue is a stored XSS via the httpContext in host/Extensions/RequestLoggerMiddleware.cs LogForErrorContext, triggerable by viewing a log. Some sources (IdentityServer maintainers) dispute this as a vulnerability since the logger is not...

Cross-site Scripting (XSS)

IdentityServer4 is vulnerable to cross-site scripting XSS attacks. The vulnerability exists due to the lack of encoding on the redirect URI on the authorization response page, causing XSS attacks to occur...

Authorization

IdentityServer IdentityServer4 1.x before 1.5.3 and 2.x before 2.1.3 does not encode the redirect URI on the authorization response page, which might lead to XSS in some configurations...

CVE-2018-8899

IdentityServer IdentityServer4 1.x before 1.5.3 and 2.x before 2.1.3 does not encode the redirect URI on the authorization response page, which might lead to XSS in some configurations...