2 matches found
CVE-2022-24794
Express OpenID Connect (express-openid-connect) CVE-2022-24794 describes an Open Redirect vulnerability when requiresAuth is applied on a catch-all route. Affected versions are prior to 2.7.2. The issue arises because the original URL reported by the Express framework is not properly sanitized, a...
CVE-2021-41246
Express OpenID Connect middleware for Express.js is affected. Versions up to and including 2.5.1 do not regenerate the session id and session cookie on login, enabling session-fixation risks. A patch exists in version 2.5.2, which fixes the issue. Several sources corroborate this behavior and pat...