24 matches found
Nginx-UI Settings API Exposes Protected Secrets
Summary The GetSettings API handler api/settings/settings.go:24-65 serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag is only enforced during writes via ProtectedFill in SaveSettings and is...
EUVD-2026-27140
Nginx-UI Settings API Exposes Protected Secrets...
CVE-2026-42223
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler api/settings/settings.go:24-65 serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag...
CVE-2026-42223 nginx-ui: Settings API Exposes Protected Secrets
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler api/settings/settings.go:24-65 serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag...
EUVD-2024-48468
Malicious code in bioql PyPI...
CVE-2025-59363
In One Identity OneLogin prior to 2025.3.0, the GET /api/2/apps endpoint returned OIDC client_secret values alongside app metadata, enabling disclosure of sensitive credentials. This is caused by excessive data being returned by the Apps API v2 and constitutes a breach of confidentiality for OIDC...
elytron-oidc-client: OIDC Authorization Code Injection
A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with t...
GHSA-5565-3C98-G6JC WildFly Elytron OpenID Connect Client ExtensionOIDC authorization code injection attack
Impact A vulnerability was found in OIDC-Client. When using the elytron-oidc-client subsystem with WildFly, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is...
WildFly Elytron OpenID Connect Client ExtensionOIDC authorization code injection attack
Impact A vulnerability was found in OIDC-Client. When using the elytron-oidc-client subsystem with WildFly, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is...
CVE-2024-7569
An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier allows an unauthenticated attacker to obtain the OIDC client secret via debug information...
CVE-2024-12369
A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with t...
CVE-2024-12369
A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with t...
CVE-2024-12369
CVE-2024-12369 affects the OpenID Connect client integration in WildFly/JBoss EAP via the OIDC Client (ELY-OIDC) subsystem. The flaw allows an attacker to inject a stolen authorization code into their own session, effectively impersonating a victim, typically via MitM or phishing. Affected compon...
CVE-2024-12369 Elytron-oidc-client: oidc authorization code injection
A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with t...
CVE-2024-12369 Elytron-oidc-client: oidc authorization code injection
A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with t...
CVE-2024-12369
A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with t...
PT-2024-17571
Name of the Vulnerable Software and Affected Versions OIDC-Client versions prior to the fixed version EAP 7.x EAP 8.x Description A vulnerability was found in OIDC-Client, allowing authorization code injection attacks to occur when using the RH SSO OIDC adapter with EAP 7.x or the...
CVE-2021-35473
An issue was discovered in LemonLDAP::NG before 2.0.12. There is a missing expiration check in the OAuth2.0 handler, i.e., it does not verify access token validity. An attacker can use a expired access token from an OIDC client to access the OAuth2 handler The earliest affected version is 2.0.4...
CVE-2024-7569
CVE-2024-7569 : Ivanti ITSM on-prem and Neurons for ITSM (versions 2023.4 and earlier) contain an information-disclosure flaw that allows an unauthenticated attacker to retrieve the OIDC client secret via debug information. Public sources consistently describe impact as high confidentiality risk ...
CVE-2024-7569
An information disclosure vulnerability in Ivanti ITSM on-prem and Neurons for ITSM versions 2023.4 and earlier allows an unauthenticated attacker to obtain the OIDC client secret via debug information...