Lucene search
K

79 matches found

Github Security Blog
Github Security Blog
added 2022/08/02 6:0 p.m.51 views

NextAuth.js before 4.10.3 and 3.29.10 sending verification requests (magic link) to unwanted emails

Impact next-auth users who are using the EmailProvider either in versions before 4.10.3 or 3.29.10 are affected. If an attacker could forge a request that sent a comma-separated list of emails eg.: [email protected],[email protected] to the sign-in endpoint, NextAuth.js would send emails to...

9.1CVSS8.7AI score0.01137EPSS
Exploits0References11Affected Software1
CVE
CVE
added 2022/08/02 5:55 p.m.401 views

CVE-2022-35924

CVE-2022-35924 affects NextAuth.js EmailProvider in versions before 4.10.3 and 3.29.10. An attacker could forge a request with a comma-separated email list, causing the system to send emails to both attacker and victim, potentially bypassing authorization (e.g., email.endsWith checks) when loggin...

9.1CVSS9.3AI score0.01137EPSS
Exploits0References8Affected Software1
OSV
OSV
added 2022/08/02 5:55 p.m.23 views

CVE-2022-35924 Verification requests (magic link) sent to unwanted emails

NextAuth.js is a complete open source authentication solution for Next.js applications. next-auth users who are using the EmailProvider either in versions before 4.10.3 or 3.29.10 are affected. If an attacker could forge a request that sent a comma-separated list of emails eg.:...

9.1CVSS9AI score0.01137EPSS
Exploits0References10
Vulnrichment
Vulnrichment
added 2022/08/02 5:55 p.m.8 views

CVE-2022-35924 Verification requests (magic link) sent to unwanted emails

NextAuth.js is a complete open source authentication solution for Next.js applications. next-auth users who are using the EmailProvider either in versions before 4.10.3 or 3.29.10 are affected. If an attacker could forge a request that sent a comma-separated list of emails eg.:...

9.1CVSS9.3AI score0.01137EPSS
Exploits0References8
CNNVD
CNNVD
added 2022/08/02 12:0 a.m.5 views

ZEIT Next.js和NextAuth.js 输入验证错误漏洞

ZEIT Next.js is an open source web application framework from ZEIT based on Vue.js, Node.js, Webpack and Babel.js.NextAuth.js is the authentication for Next.js. An input validation error vulnerability exists in the NextAuth.js component of Next.js, which stems from the fact that an attacker can...

9.1CVSS8.2AI score0.01137EPSS
Exploits0References8
NVD
NVD
added 2022/08/01 8:15 p.m.12 views

CVE-2022-31186

NextAuth.js is a complete open source authentication solution for Next.js applications. An information disclosure vulnerability in next-auth before v4.10.2 and v3.29.9 allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log whi...

3.3CVSS0.00247EPSS
Exploits0References4
Prion
Prion
added 2022/08/01 8:15 p.m.24 views

Information disclosure

NextAuth.js is a complete open source authentication solution for Next.js applications. An information disclosure vulnerability in next-auth before v4.10.2 and v3.29.9 allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log whi...

1.7CVSS3.8AI score0.00247EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2022/08/01 7:25 p.m.42 views

CVE-2022-31186 Leakage of excessive information into log in next-auth

NextAuth.js is a complete open source authentication solution for Next.js applications. An information disclosure vulnerability in next-auth before v4.10.2 and v3.29.9 allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log whi...

3.3CVSS4.1AI score0.00247EPSS
Exploits0References6
Cvelist
Cvelist
added 2022/08/01 7:25 p.m.18 views

CVE-2022-31186 Leakage of excessive information into log in next-auth

NextAuth.js is a complete open source authentication solution for Next.js applications. An information disclosure vulnerability in next-auth before v4.10.2 and v3.29.9 allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log whi...

3.3CVSS4AI score0.00247EPSS
Exploits0References4
CNNVD
CNNVD
added 2022/08/01 12:0 a.m.6 views

NextAuth.js和ZEIT Next.js 日志信息泄露漏洞

ZEIT Next.js is an open source web application framework from ZEIT based on Vue.js, Node.js, Webpack and Babel.js.NextAuth.js is the authentication for Next.js. NextAuth.js v4.10.2 before version 3.29.9 before the version of the log information leakage vulnerability , the vulnerability stems from...

3.3CVSS4.8AI score0.00247EPSS
Exploits0References5
CNVD
CNVD
added 2022/07/08 12:0 a.m.25 views

ZEIT Next.js NextAuth.js Cross-Site Scripting Vulnerability

ZEIT Next.js is a ZEIT company based on Vue.js, Node.js, Webpack and Babel.js open source web application framework . NextAuth.js is Next.js authentication . ZEIT Next.js NextAuth.js suffers from a cross-site scripting vulnerability. The vulnerability stems from the program's lack of data...

7.1CVSS6.2AI score0.01051EPSS
Exploits1References1
NVD
NVD
added 2022/07/06 6:15 p.m.10 views

CVE-2022-31127

NextAuth.js is a complete open source authentication solution for Next.js applications. An attacker can pass a compromised input to the e-mail signin endpoint that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.:...

7.1CVSS0.01051EPSS
Exploits1References5
Prion
Prion
added 2022/07/06 6:15 p.m.22 views

Hardcoded credentials

NextAuth.js is a complete open source authentication solution for Next.js applications. An attacker can pass a compromised input to the e-mail signin endpoint that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.:...

4.3CVSS6.3AI score0.01051EPSS
Exploits1References5Affected Software1
Cvelist
Cvelist
added 2022/07/06 6:0 p.m.18 views

CVE-2022-31127 Improper handling of email input in next-auth

NextAuth.js is a complete open source authentication solution for Next.js applications. An attacker can pass a compromised input to the e-mail signin endpoint that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.:...

7.1CVSS7.1AI score0.01051EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2022/07/06 6:0 p.m.5 views

CVE-2022-31127 Improper handling of email input in next-auth

NextAuth.js is a complete open source authentication solution for Next.js applications. An attacker can pass a compromised input to the e-mail signin endpoint that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.:...

7.1CVSS7.2AI score0.01051EPSS
Exploits1References5
CVE
CVE
added 2022/07/06 6:0 p.m.60 views

CVE-2022-31127

CVE-2022-31127 affects NextAuth.js (Next.js) and describes an improper handling of email input at the signin email endpoint. An attacker could inject HTML into the email parameter, causing the HTML content to be rendered in an email sent to a user, enabling phishing. Remediation per sources: patc...

7.1CVSS6.3AI score0.01051EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2022/07/06 6:0 p.m.26 views

CVE-2022-31127 Improper handling of email input in next-auth

NextAuth.js is a complete open source authentication solution for Next.js applications. An attacker can pass a compromised input to the e-mail signin endpoint that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.:...

7.1CVSS6.5AI score0.01051EPSS
Exploits1References7
NVD
NVD
added 2022/06/27 10:15 p.m.33 views

CVE-2022-31093

NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid callbackUrl query parameter, which internally is converted to a URL object. The URL instantiation would fail due ...

7.5CVSS0.01571EPSS
Exploits0References4
Prion
Prion
added 2022/06/27 10:15 p.m.21 views

Design/Logic Flaw

NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid callbackUrl query parameter, which internally is converted to a URL object. The URL instantiation would fail due ...

5CVSS7.6AI score0.01571EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2022/06/27 9:30 p.m.5 views

CVE-2022-31093 Improper Handling of `callbackUrl` parameter in next-auth

NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid callbackUrl query parameter, which internally is converted to a URL object. The URL instantiation would fail due ...

7.5CVSS7.6AI score0.01571EPSS
Exploits0References4
Rows per page
Query Builder