Malicious code in user_oidc (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis e28e6e5435f54199a3dca6186e1ad2d2846226bcf0a6792ff09d40b6215ed7af The OpenSSF Package Analysis project identified 'useroidc' @ 8.0.2 np...

EUVD-2023-32474

Malicious code in bioql PyPI...

EUVD-2024-36870

Malicious code in bioql PyPI...

CVE-2023-32074

useroidc app is an OpenID Connect user backend for Nextcloud. Authentication can be broken/bypassed in useroidc app. It is recommended that the Nextcloud useroidc app is upgraded to 1.3.2...

CVE-2024-52512

useroidc app is an OpenID Connect user backend for Nextcloud. A malicious user could send a malformed login link that would redirect the user to a provided URL after successfully authenticating. It is recommended that the Nextcloud User OIDC app is upgraded to 6.1.0...

Nextcloud: Open redirect when logging in with user_oidc

An open redirect vulnerability was discovered in Nextcloud's useroidc app. This vulnerability allowed an attacker to redirect users to a malicious website during the login process...

CVE-2024-37886

useroidc app is an OpenID Connect user backend for Nextcloud. An attacker could potentially trick the app into accepting a request that is not signed by the correct server. It is recommended that the Nextcloud useroidc app is upgraded to 1.3.5, 2.0.0, 3.0.0, 4.0.0 or 5.0.0...

CVE-2024-37886 Nextcloud user_oidc's ID4me does not validate signature or expiration

useroidc app is an OpenID Connect user backend for Nextcloud. An attacker could potentially trick the app into accepting a request that is not signed by the correct server. It is recommended that the Nextcloud useroidc app is upgraded to 1.3.5, 2.0.0, 3.0.0, 4.0.0 or 5.0.0...

CVE-2024-37886 Nextcloud user_oidc's ID4me does not validate signature or expiration

useroidc app is an OpenID Connect user backend for Nextcloud. An attacker could potentially trick the app into accepting a request that is not signed by the correct server. It is recommended that the Nextcloud useroidc app is upgraded to 1.3.5, 2.0.0, 3.0.0, 4.0.0 or 5.0.0...

CVE-2024-37886

CVE-2024-37886 affects Nextcloud’s user_oidc OpenID Connect backend; ID4me does not validate the signature or expiration, enabling an attacker to submit requests not signed by the correct server. Upgrades are recommended to Nextcloud user_oidc versions 1.3.5, 2.0.0, 3.0.0, 4.0.0 or 5.0.0. Support...

CVE-2024-37312 Nextcloud user_oidc app's ID4me feature is available even when disabled

useroidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to...

CVE-2024-37312 Nextcloud user_oidc app's ID4me feature is available even when disabled

useroidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to...

CVE-2024-37312

The CVE concerns Nextcloud’s user_oidc OpenID Connect backend, where the ID4me endpoint lacks access control, enabling account registration and potential access to data available to all registered users. Publicly documented details come from Nextcloud advisories and HackerOne report, which confir...

CVE-2023-39954

useroidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, an attacker that obtained at least read access to a snapshot of the database can impersonate the Nextcloud server towards linked servers. useroidc...

Code injection

useroidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, an attacker that obtained at least read access to a snapshot of the database can impersonate the Nextcloud server towards linked servers. useroidc...

CVE-2023-39954 user_oidc app stores client secret unencrypted in database

useroidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, an attacker that obtained at least read access to a snapshot of the database can impersonate the Nextcloud server towards linked servers. useroidc...

CVE-2023-39954

CVE-2023-39954 affects the Nextcloud user_oidc app (OIDC backend). Versions 1.0.0 through 1.3.2 allow an attacker with read access to a database snapshot to impersonate the Nextcloud server toward linked servers due to unencrypted storage of the client secret. A patch exists in version 1.3.3 . No...

CVE-2023-39954 user_oidc app stores client secret unencrypted in database

useroidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, an attacker that obtained at least read access to a snapshot of the database can impersonate the Nextcloud server towards linked servers. useroidc...

CVE-2023-39953 Issuer not verified from obtained token in user_oidc

useroidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, missing verification of the issuer would have allowed an attacker to perform a man-in-the-middle attack returning corrupted or known token they also...

CVE-2023-39953

The CVE-2023-39953 entry concerns Nextcloud’s user_oidc app. Affected versions: 1.0.0 through 1.3.2. Root cause: missing verification of the issuer in the OIDC token validation, enabling a potential Man-in-the-Middle attack that could return corrupted or known tokens. Impact: attacker could lever...