254 matches found
@fastify/oauth2 vulnerable to Cross Site Request Forgery due to reused Oauth2 state
Impact All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be...
Cross-Site Request Forgery (CSRF)
fastify-oauth2, is vulnerable to Cross-Site Request Forgery. The vulnerability exists due to lack of randomness in the state parameter of index.js which allows an attacker to execute operations within the victim's session, leading to unauthorized access to user accounts...
GHSA-HGXV-3497-3HHJ Duplicate Advisory: @fastify/oauth2 Oauth2 state parameter reuse
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-g8x5-p9qc-cf95. This link is maintained to preserve external references. Original Description All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all...
Duplicate Advisory: @fastify/oauth2 Oauth2 state parameter reuse
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-g8x5-p9qc-cf95. This link is maintained to preserve external references. Original Description All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all...
CVE-2023-31999
All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to...
CVE-2023-31999
All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to...
CVE-2023-31999
All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to...
PT-2023-25393 · Unknown · @Fastify/Oauth2
Name of the Vulnerable Software and Affected Versions: @fastify/oauth2 versions prior to 7.2.0 Description: The issue is related to cross-site request forgery CSRF due to the use of a statically generated state parameter across all requests for all users. This parameter should be unique per user...
CVE-2023-26847
A stored cross-site scripting XSS vulnerability in OpenCATS v0.9.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the state parameter at opencats/index.php?m=candidates...
OpenCats 跨站脚本漏洞
OpenCATS is a leading open source applicant tracking system for recruiters and companies. A security vulnerability exists in OpenCats v0.9.7. An attacker could use the vulnerability to execute arbitrary web script or HTML by injecting a specially crafted payload into the state parameter of...
PT-2023-21171 · Envoy · Envoy
Name of the Vulnerable Software and Affected Versions: Envoy versions prior to 1.26.0 Envoy versions prior to 1.25.3 Envoy versions prior to 1.24.4 Envoy versions prior to 1.23.6 Envoy versions prior to 1.22.9 Description: The OAuth filter in Envoy assumes that a state query param is present on a...
CVE-2023-1421
A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter...
Cross site scripting
A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter...
CVE-2023-1421 Reflected XSS in OAuth flow completion endpoints
A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter...
PT-2023-16973 · Unknown · Mattermost
Name of the Vulnerable Software and Affected Versions: Mattermost affected versions not specified Description: A reflected cross-site scripting issue in the OAuth flow completion endpoints allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious...
Cross-Site Request Forgery (CSRF)
Concrete CMS is vulnerable to cross-site request forgery. The vulnerability exists in multiple functions due to lack of checks in the State parameter for external concrete authentication service which allows an attacker to initiate unwanted actions within the web application...
GHSA-W8FP-3GWQ-GXPW Concrete CMS vulnerable to Cross-site Request Forgery
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth...
Cross site request forgery (csrf)
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth...
CVE-2022-43693
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth...
CVE-2022-43693
Concrete CMS is vulnerable to Cross-Site Request Forgery (CSRF) due to the lack of a State parameter in the external authentication service when using the out-of-the-box core OAuth flow. The CVE-2022-43693 entry indicates the root cause is CSRF susceptibility in the external authentication integr...