Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
oauth vulnerabilities and exploits
(subscribe to this query)
NA
CVE-2014-7922
The GoogleAuthUtil.getToken method in the Google Play services SDK prior to 2015 sets parameters in OAuth token requests upon finding a corresponding _opt_ parameter in the Bundle extras argument, which allows malicious users to bypass an intended consent dialog and retrieve toke...
Google Play Services Sdk
6.1
CVSSv3
CVE-2017-18877
An issue exists in Mattermost Server prior to 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur against an OAuth 2.0 allow/deny page.
Mattermost Mattermost Server
Mattermost Mattermost Server 4.3.0
5.3
CVSSv3
CVE-2017-18905
An issue exists in Mattermost Server prior to 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled.
Mattermost Mattermost Server
9.8
CVSSv3
CVE-2020-13312
A vulnerability exists in GitLab versions prior to 13.1.10, 13.2.8 and 13.3.4. GitLab OAuth endpoint was vulnerable to brute-force attacks through a specific parameter.
Gitlab Gitlab
6.1
CVSSv3
CVE-2019-7661
An issue exists in PHPMyWind 5.5. The method parameter of the data/api/oauth/connect.php page has a reflected Cross-site Scripting (XSS) vulnerability.
Phpmywind Phpmywind
10
CVSSv3
CVE-2020-13300
GitLab CE/EE version 13.3 before 13.3.4 was vulnerable to an OAuth authorization scope change without user consent in the middle of the authorization flow.
Gitlab Gitlab
7.5
CVSSv3
CVE-2017-18917
An issue exists in Mattermost Server prior to 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens.
Mattermost Mattermost Server
7.5
CVSSv3
CVE-2022-2083
The Simple Single Sign On WordPress plugin up to and including 4.1.0 leaks its OAuth client_secret, which could be used by malicious users to gain unauthorized access to the site.
Simple Sign On Project Simple Sign On
8.6
CVSSv3
CVE-2017-6062
The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module prior to 2.1.5 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "OIDCUnAuthAction pass" configuration, which allows remote mali...
Openidc Mod Auth Openidc
7.5
CVSSv3
CVE-2017-9245
The Google News and Weather application prior to 3.3.1 for Android allows remote malicious users to read OAuth tokens by sniffing the network and leveraging the lack of SSL.
Google News And Weather
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
authentication bypass
CVE-2024-30051
remote
CVE-2024-27954
CVE-2023-51483
CVE-2023-47782
SSRF
CVE-2024-24715
CVE-2023-52424
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
5
6
7
8
9
10
NEXT »