Lucene search
+L

254 matches found

github
github
added 2023/07/05 9:36 p.m.50 views

@fastify/oauth2 vulnerable to Cross Site Request Forgery due to reused Oauth2 state

Impact All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be...

8.8CVSS6.8AI score0.00679EPSS
Exploits1References6Affected Software1
veracode
veracode
added 2023/07/05 8:38 a.m.19 views

Cross-Site Request Forgery (CSRF)

fastify-oauth2, is vulnerable to Cross-Site Request Forgery. The vulnerability exists due to lack of randomness in the state parameter of index.js which allows an attacker to execute operations within the victim's session, leading to unauthorized access to user accounts...

8.8CVSS7AI score0.00679EPSS
Exploits1References4Affected Software2
osv
osv
added 2023/07/04 6:30 p.m.8 views

GHSA-HGXV-3497-3HHJ Duplicate Advisory: @fastify/oauth2 Oauth2 state parameter reuse

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-g8x5-p9qc-cf95. This link is maintained to preserve external references. Original Description All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all...

8.8CVSS8.7AI score0.00679EPSS
Exploits1References5
github
github
added 2023/07/04 6:30 p.m.19 views

Duplicate Advisory: @fastify/oauth2 Oauth2 state parameter reuse

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-g8x5-p9qc-cf95. This link is maintained to preserve external references. Original Description All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all...

8.8CVSS6.8AI score0.00679EPSS
Exploits1References5Affected Software1
nvd
nvd
added 2023/07/04 5:15 p.m.23 views

CVE-2023-31999

All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to...

8.8CVSS8.7AI score0.00679EPSS
Exploits1References3
cvelist
cvelist
added 2023/07/04 4:29 p.m.32 views

CVE-2023-31999

All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to...

8.9AI score0.00679EPSS
Exploits1References3
osv
osv
added 2023/07/04 4:29 p.m.19 views

CVE-2023-31999

All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to...

8.8CVSS7.1AI score0.00679EPSS
Exploits1References5
ptsecurity
ptsecurity
added 2023/07/03 12:0 a.m.7 views

PT-2023-25393 · Unknown · @Fastify/Oauth2

Name of the Vulnerable Software and Affected Versions: @fastify/oauth2 versions prior to 7.2.0 Description: The issue is related to cross-site request forgery CSRF due to the use of a statically generated state parameter across all requests for all users. This parameter should be unique per user...

6.5AI score
Exploits0References2
nvd
nvd
added 2023/04/11 3:15 p.m.27 views

CVE-2023-26847

A stored cross-site scripting XSS vulnerability in OpenCATS v0.9.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the state parameter at opencats/index.php?m=candidates...

5.4CVSS5.3AI score0.00429EPSS
Exploits0References2
cnnvd
cnnvd
added 2023/04/11 12:0 a.m.5 views

OpenCats 跨站脚本漏洞

OpenCATS is a leading open source applicant tracking system for recruiters and companies. A security vulnerability exists in OpenCats v0.9.7. An attacker could use the vulnerability to execute arbitrary web script or HTML by injecting a specially crafted payload into the state parameter of...

5.4CVSS6.7AI score0.00429EPSS
Exploits0References6
ptsecurity
ptsecurity
added 2023/04/04 12:0 a.m.6 views

PT-2023-21171 · Envoy · Envoy

Name of the Vulnerable Software and Affected Versions: Envoy versions prior to 1.26.0 Envoy versions prior to 1.25.3 Envoy versions prior to 1.24.4 Envoy versions prior to 1.23.6 Envoy versions prior to 1.22.9 Description: The OAuth filter in Envoy assumes that a state query param is present on a...

7.5CVSS6.8AI score0.00758EPSS
Exploits1References12
nvd
nvd
added 2023/03/15 11:15 p.m.26 views

CVE-2023-1421

A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter...

6.1CVSS4.4AI score0.00413EPSS
Exploits0References1
prion
prion
added 2023/03/15 11:15 p.m.24 views

Cross site scripting

A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter...

5.8CVSS5.8AI score0.00413EPSS
Exploits0References1Affected Software1
osv
osv
added 2023/03/15 10:51 p.m.21 views

CVE-2023-1421 Reflected XSS in OAuth flow completion endpoints

A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter...

3.5CVSS6.3AI score0.00413EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2023/03/15 12:0 a.m.7 views

PT-2023-16973 · Unknown · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost affected versions not specified Description: A reflected cross-site scripting issue in the OAuth flow completion endpoints allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious...

6.1CVSS5.8AI score0.00413EPSS
Exploits0References7
veracode
veracode
added 2022/11/15 3:16 a.m.12 views

Cross-Site Request Forgery (CSRF)

Concrete CMS is vulnerable to cross-site request forgery. The vulnerability exists in multiple functions due to lack of checks in the State parameter for external concrete authentication service which allows an attacker to initiate unwanted actions within the web application...

8.8CVSS8.4AI score0.0044EPSS
Exploits0References11Affected Software2
osv
osv
added 2022/11/14 7:0 p.m.19 views

GHSA-W8FP-3GWQ-GXPW Concrete CMS vulnerable to Cross-site Request Forgery

Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth...

8.8CVSS8.8AI score0.0044EPSS
Exploits0References7
prion
prion
added 2022/11/14 5:15 p.m.11 views

Cross site request forgery (csrf)

Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth...

6.8CVSS8.8AI score0.0044EPSS
Exploits0References5Affected Software1
vulnrichment
vulnrichment
added 2022/11/14 12:0 a.m.6 views

CVE-2022-43693

Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth...

7.1AI score0.0044EPSS
Exploits0References5
cve
cve
added 2022/11/14 12:0 a.m.81 views

CVE-2022-43693

Concrete CMS is vulnerable to Cross-Site Request Forgery (CSRF) due to the lack of a State parameter in the external authentication service when using the out-of-the-box core OAuth flow. The CVE-2022-43693 entry indicates the root cause is CSRF susceptibility in the external authentication integr...

8.8CVSS8.8AI score0.0044EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder