authing/oauth2-server is vulnerable to cross-site scripting. The vulnerability exists in the uri
parameter in is.js
due to improper input validation in redirect_uri
parameters which allows a malicious user to inject and execute a maliciously crafted payload.
CPE | Name | Operator | Version |
---|---|---|---|
@authing/oauth2-server | eq | 3.1.0 | |
@authing/oauth2-server | eq | 3.1.0 |
github.com/advisories/GHSA-4rg6-fm25-gc34
github.com/oauthjs/node-oauth2-server/blob/91d2cbe70a0eddc53d72def96864e2de0fd41703/lib/grant-types/authorization-code-grant-type.js#L143
github.com/oauthjs/node-oauth2-server/blob/91d2cbe70a0eddc53d72def96864e2de0fd41703/lib/validator/is.js#L12
github.com/oauthjs/node-oauth2-server/issues/637
tools.ietf.org/html/rfc3986#section-3
tools.ietf.org/html/rfc6749#section-3.1.2