7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
The plugin leaks its OAuth client_secret, which could be used by attackers to gain unauthorized access to the site.
When we click the "Single Sign On" button, the plugin redirects us to the OAuth server to authenticate ourselves if we are not logged in.
The button invokes the following URL:
https://lana.solutions/vdb/oauth-client/?auth=sso
The client plugin redirects us to the following URL:
https://lana.solutions/vdb/oauth-server/?oauth=authorize&response_type=code&client_id=A7h8AfabvPH462WLGbcD6Ljb8IOE2tR9uDJva2TW&client_secret=ufMq5A63dGKOxW335SXyQKCNcumxZ2ZILnFk1Mil&redirect_uri=https%3A%2F%2Flana.solutions%2Fvdb%2Foauth-client%2F%3Fauth%3Dsso&state=https%3A%2F%2Flana.solutions%2Fvdb%2Foauth-client
The URL contains the "client_secret" code that can be used to request an access token with client credentials grant type authentication.
Exploit script: https://gist.github.com/lana-codes/7659650c13b38b66b43748809b0c3269