PT-2026-25051

Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents a...

EUVD-2009-5040

Malware in sbrugna...

EUVD-2019-5614

Malware in sbrugna...

EUVD-2010-3092

Malware in sbrugna...

CVE-2019-14408

cPanel before 78.0.2 allows a demo account to link with an OpenID provider SEC-460...

CVE-2009-5085

IBM Tivoli Federated Identity Manager TFIM 6.2.0 before 6.2.0.2, when configured as an OpenID provider, does not delete the site information cookie in response to a user's deletion of a relying-party trust entry, which allows user-assisted remote attackers to bypass intended trust restrictions vi...

CVE-2022-39387

XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Prior to version 1.29.1, even if a wiki has an OpenID provider configured through its xwiki.properties, it is possible to provide a third party provider its details through request parameters. One can then bypass the XWi...

ZendOpenID potential security issue in login mechanism

Using the Consumer component of ZendOpenId or ZendOpenId in ZF1, it is possible to login using an arbitrary OpenID account without knowing any secret information by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity MyOpenID, Google, etc,...

GHSA-3X57-M5P4-RGH4 ZendOpenID potential security issue in login mechanism

Using the Consumer component of ZendOpenId or ZendOpenId in ZF1, it is possible to login using an arbitrary OpenID account without knowing any secret information by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity MyOpenID, Google, etc,...

GHSA-9V78-H226-2RMQ Zendframework potential security issue in login mechanism

Using the Consumer component of ZendOpenId or ZendOpenId in ZF1, it is possible to login using an arbitrary OpenID account without knowing any secret information by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity MyOpenID, Google, etc,...

PT-2023-9891 · Unknown · Simplesamlphp +1

Name of the Vulnerable Software and Affected Versions: simplesamlphp simplesamlphp-module-openidprovider versions up to 0.8.x Description: A vulnerability was found in the simplesamlphp simplesamlphp-module-openidprovider. The issue affects an unknown functionality of the file...

simplesamlphp-module-openidprovider 跨站脚本漏洞

simplesamlphp-module-openidprovider is a simplesamlphp open source application. A cross-site scripting vulnerability exists in simplesamlphp-module-openidprovider version 0.8.x and earlier versions, which stems from the fact that incorrect manipulation of the parameter StateID can lead to...

PT-2022-24946 · Xwiki · Xwiki Oidc

Name of the Vulnerable Software and Affected Versions: XWiki OIDC versions prior to 1.29.1 Description: The issue allows an attacker to bypass XWiki authentication by specifying their own OpenID provider through request parameters, such as oidc.endpoint., or by using an XWiki-based OpenID provide...

CVE-2018-20914

In cPanel before 70.0.23, OpenID providers can inject arbitrary data into cPanel session files SEC-368...

cPanel Input Validation Error Vulnerability (CNVD-2019-26365)

cPanel is a set of Web-based automated colocation platform from the US-based cPanel. The platform is primarily used to automate the management of websites and servers. An input validation error vulnerability exists in versions of cPanel prior to 78.0.2. The vulnerability stems from a web-based...

CVE-2019-14408

CVE-2019-14408 affects cPanel before 78.0.2. Affected component: the web-based cPanel interface; root cause described as an input validation issue that allows a demo account to link with an OpenID provider (SEC-460). Consequence: sanctioned links to an OpenID provider by a non-privileged/demo acc...

CVE-2014-2685

The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the ZendOpenIdConsumer class in Zend Framework 1 before 1.12.4 violate the OpenID 2.0 protocol by ensuring only that at least one field is signed, which allows remote attackers to bypass authentication by leveragin...

Authentication flaw

The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the ZendOpenIdConsumer class in Zend Framework 1 before 1.12.4 violate the OpenID 2.0 protocol by ensuring only that at least one field is signed, which allows remote attackers to bypass authentication by leveragin...

Java OpenID Server 1.2.1 XSS / Session Fixation

Hi, This is a public disclosure with disarmed Proof of Concept of unpatched vulnerabilities in JOIDS Java OpenID Server. "JOIDS Java OpenID Server is a multi-domain, multi-user OpenID Provider based on OpenID4Java, Spring Framework, Hibernate, Velocity" https://code.google.com/p/openid-server/...

CVE-2009-5085

IBM Tivoli Federated Identity Manager TFIM 6.2.0 before 6.2.0.2, when configured as an OpenID provider, does not delete the site information cookie in response to a user's deletion of a relying-party trust entry, which allows user-assisted remote attackers to bypass intended trust restrictions vi...