EUVD-2020-25668

Malware in sbrugna...

MAL-2025-28901 Malicious code in passport-ibm-openidconnect (npm)

The package passport-ibm-openidconnect was found to contain malicious code...

Malicious code in passport-ibm-openidconnect (npm)

The package passport-ibm-openidconnect was found to contain malicious code...

Access Token Leakage

Duende.AccessTokenManagement.OpenIdConnect is vulnerable to access token leakage. The vulnerability is due to improper token isolation within the HTTP client pool, where a refreshed access token is not properly isolated and may be captured by pooled HttpClient instances, allowing an attacker to...

CVE-2024-51987

Duende.AccessTokenManagement.OpenIdConnect is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. HTTP Clients created by AddUserAccessTokenHttpClient may use a different user's access token after a token refresh occurs. This occurs because a refreshed token will be captur...

GHSA-7MR7-4F54-VCX5 HTTP Client uses incorrect token after refresh

Impact HTTP Clients created by AddUserAccessTokenHttpClient may use a different user's access token after a token refresh. This occurs because a refreshed token will be captured in pooled HttpClient instances, which may be used by a different user. Workarounds Instead of using...

HTTP Client uses incorrect token after refresh

Impact HTTP Clients created by AddUserAccessTokenHttpClient may use a different user's access token after a token refresh. This occurs because a refreshed token will be captured in pooled HttpClient instances, which may be used by a different user. Workarounds Instead of using...

CVE-2022-39387

XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Prior to version 1.29.1, even if a wiki has an OpenID provider configured through its xwiki.properties, it is possible to provide a third party provider its details through request parameters. One can then bypass the XWi...

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF due to not using or validating the state parameter of the OAuth 2.0 and OpenID Connect protocols. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations...

Security Bulletin: Potential vulnerability with IBM WebSphere Application Liberty

Summary A potential vulnerability has been identified related to IBM WebSphere Application Liberty. Refer to details for additional information. Vulnerability Details CVEID: CVE-2020-4421 DESCRIPTION: IBM WebSphere Application Liberty 19.0.0.5 through 20.0.0.4 could allow an authenticated user...

CVE-2020-4421

IBM WebSphere Application Liberty 19.0.0.5 through 20.0.0.4 could allow an authenticated user using openidconnect to spoof another users identify. IBM X-Force ID: 180084...

Code injection

IBM WebSphere Application Liberty 19.0.0.5 through 20.0.0.4 could allow an authenticated user using openidconnect to spoof another users identify. IBM X-Force ID: 180084...

CVE-2020-4421

The CVE-2020-4421 issue affects IBM WebSphere Application Liberty versions 19.0.0.5 through 20.0.0.4. An authenticated user leveraging the openidconnect feature could spoof another user’s identity, enabling an impersonation risk within Liberty environments that expose identity services via OpenID...

Doorkeeper::OpenidConnect Open Redirect

Doorkeeper::OpenidConnect aka the OpenID Connect extension for Doorkeeper 1.4.x and 1.5.x before 1.5.4 has an open redirect via the redirecturi field in an OAuth authorization request that results in an error response with the 'openid' scope and a prompt=none value. This allows phishing attacks...

CVE-2019-9837

Doorkeeper::OpenidConnect aka the OpenID Connect extension for Doorkeeper 1.4.x and 1.5.x before 1.5.4 has an open redirect via the redirecturi field in an OAuth authorization request that results in an error response with the 'openid' scope and a prompt=none value. This allows phishing attacks...

Design/Logic Flaw

Doorkeeper::OpenidConnect aka the OpenID Connect extension for Doorkeeper 1.4.x and 1.5.x before 1.5.4 has an open redirect via the redirecturi field in an OAuth authorization request that results in an error response with the 'openid' scope and a prompt=none value. This allows phishing attacks...

CVE-2019-9837

Doorkeeper::OpenidConnect aka the OpenID Connect extension for Doorkeeper 1.4.x and 1.5.x before 1.5.4 has an open redirect via the redirecturi field in an OAuth authorization request that results in an error response with the 'openid' scope and a prompt=none value. This allows phishing attacks...

CVE-2019-9837

The CVE-2019-9837 issue affects Doorkeeper::OpenidConnect (OpenID Connect extension for Doorkeeper) versions 1.4.x and 1.5.x prior to 1.5.4. An open redirect can occur via the redirect_uri field in an OAuth authorization request when the request includes the 'openid' scope and prompt=none, potent...

PT-2017-16869 · Ping Identity +2 · Mod Auth Openidc +2

Name of the Vulnerable Software and Affected Versions: mod auth openidc versions prior to 2.14 Description: The issue allows remote attackers to spoof page content via a malicious URL provided to the user, which triggers an invalid request. This occurs due to a flaw in the Mod auth openidc.c...