Lucene search
+L

7 matches found

CVE
CVE
added 2022/05/20 11:45 p.m.552 views

CVE-2022-29214

CVE-2022-29214 affects NextAuth.js (next-auth). The vulnerability is an open redirect when implementing an OAuth 1 provider, present in versions prior to 3.29.3 (v3) and 4.3.3 (v4). A patch exists in those respective versions (3.29.3 and 4.3.3). If upgrading is not possible, a workaround is docum...

6.1CVSS6.2AI score0.00626EPSS
CVE
CVE
added 2022/08/02 5:55 p.m.404 views

CVE-2022-35924

CVE-2022-35924 affects NextAuth.js EmailProvider in versions before 4.10.3 and 3.29.10. An attacker could forge a request with a comma-separated email list, causing the system to send emails to both attacker and victim, potentially bypassing authorization (e.g., email.endsWith checks) when loggin...

9.1CVSS9.3AI score0.01137EPSS
CVE
CVE
added 2023/11/20 6:25 p.m.151 views

CVE-2023-48309

Concrete details: The CVE-2023-48309 flaw affects next-auth (Next.js) apps before v4.24.5 that rely on the default Middleware authorization. An attacker can obtain a NextAuth.js JWT from an interrupted OAuth sign-in flow and override the next-auth.session-token cookie with this unrelated JWT to s...

5.3CVSS5.1AI score0.007EPSS
CVE
CVE
added 2021/02/11 9:40 p.m.64 views

CVE-2021-21310

NextAuth.js (next-auth) token verification vulnerability affects the Prisma database adapter when used with the Email provider (before 3.3.0). The defect: verification tokens were checked but not the associated email identifier, enabling sign-in as another user with a valid token. The issue is sp...

6.1CVSS5.6AI score0.01667EPSS
CVE
CVE
added 2022/07/06 6:0 p.m.61 views

CVE-2022-31127

CVE-2022-31127 affects NextAuth.js (Next.js) and describes an improper handling of email input at the signin email endpoint. An attacker could inject HTML into the email parameter, causing the HTML content to be rendered in an email sent to a user, enabling phishing. Remediation per sources: patc...

7.1CVSS6.3AI score0.01051EPSS
CVE
CVE
added 2022/09/28 9:5 p.m.61 views

CVE-2022-39263

CVE-2022-39263 affects the Upstash Redis adapter for NextAuth.js when used with the Email Provider prior to v3.0.2. The adapter verifified only the identifier (email) and not the combined identifier + token in the email callback flow, enabling an attacker who knows the victim’s email (and token ex...

8.1CVSS7.4AI score0.006EPSS
CVE
CVE
added 2023/03/09 8:37 p.m.61 views

CVE-2023-27490

NextAuth.js (for Next.js) versions before 4.20.1 are affected. A partial OAuth session failure lets a network observer or social engineer modify the authorization URL to bypass CSRF checks, potentially logging in as the victim. The issue arises from missing/compromised state, PKCE, and nonce hand...

8.8CVSS8.4AI score0.00538EPSS