GHSA-WG65-39GG-5WFJ Prometheus Azure AD remote write OAuth client secret exposed via config API

Impact Users who use Azure AD remote write with OAuth authentication are impacted. The clientsecret field in the Azure AD remote write OAuth configuration storage/remote/azuread was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the...

Cleartext Storage of Sensitive Information

Overview Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information via the /-/config HTTP API endpoint, where the clientsecret field in the Azure AD remote write OAuth configuration was not properly redacted. An attacker can obtain sensitive authentication...

WordPress Post SMTP plugin <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Office 365 OAuth Configuration Overwrite vulnerability

Missing Authorization to Authenticated Subscriber+ Office 365 OAuth Configuration Overwrite vulnerability discovered by Michael Iden Mickhat - Hack The Box in WordPress Plugin Post SMTP versions = 3.8.0...

WordPress plugin Post SMTP 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

EUVD-2025-2884

Malicious code in bioql PyPI...

EUVD-2023-38321

Malicious code in bioql PyPI...

EUVD-2023-38295

Malicious code in bioql PyPI...

CVE-2025-22610

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to fetch the global coolify instance OAuth configuration. This exposes the "client id" and "client secret" f...

CVE-2023-34224

In JetBrains TeamCity before 2023.05 open redirect during oAuth configuration was possible...

CVE-2025-22610 Coolify Vulnerable to OAuth Secrets Leak

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to fetch the global coolify instance OAuth configuration. This exposes the "client id" and "client secret" f...

PT-2025-4596 · Coolify · Coolify

Name of the Vulnerable Software and Affected Versions: Coolify versions prior to 4.0.0-beta.361 Description: The issue is related to missing authorization, allowing any authenticated user to access and modify the global Coolify instance OAuth configuration. This exposes sensitive information,...

SUSE CVE-2023-3128

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app...

CVE-2023-34224

In JetBrains TeamCity before 2023.05 open redirect during oAuth configuration was possible...

Open redirect

In JetBrains TeamCity before 2023.05 open redirect during oAuth configuration was possible...

CVE-2023-34224

CVE-2023-34224 affects JetBrains TeamCity prior to 2023.05, with an open redirect vulnerability in the OAuth configuration flow. The issue allows an attacker to induce a redirect to a malicious URL during OAuth, potentially exposing victims to phishing or credential-stealing setups as part of the...

CVE-2023-34224

In JetBrains TeamCity before 2023.05 open redirect during oAuth configuration was possible...

CVE-2023-34224

In JetBrains TeamCity before 2023.05 open redirect during oAuth configuration was possible...

Design/Logic Flaw

On version 14.1.x before 14.1.5.3, and all versions of 13.1.x, when the BIG-IP APM system is configured with all the following elements, undisclosed requests may cause the Traffic Management Microkernel TMM to terminate: An OAuth Server that references an OAuth Provider An OAuth profile with the...

GHSA-HGRP-FGM8-56G8 Mattermost Server's OAuth 2.0 service is vulnerable to attack through Missing Authorization

An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. Attackers could reconfigure an OAuth app in some cases where Mattermost is an OAuth 2.0 service provider...

Mixmax: Email Leakage in staging environment

A developer's personal email address was used as the point of contact for an OAuth configuration used in our staging environment. Mixmax did a great job for the fix. :D...