CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14857 – mod_auth_openidc: Open redirect in logout url when using URLs with leading slashes
https://notcve.org/view.php?id=CVE-2019-14857
26 Nov 2019 — A flaw was found in mod_auth_openidc before version 2.4.0.1. An open redirect issue exists in URLs with trailing slashes similar to CVE-2019-3877 in mod_auth_mellon. Se encontró una fallo en mod_auth_openidc anterior de la versión 2.4.0.1. Existe un problema de redireccionamiento abierto en las URL con barras diagonales en mod_auth_mellon. An open redirect flaw was discovered in mod_auth_openidc, where it handles logout redirection. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14857 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1010247
https://notcve.org/view.php?id=CVE-2019-1010247
19 Jul 2019 — ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Redirecting the user to a phishing page or interacting with the application on behalf of the user. The component is: File: src/mod_auth_openidc.c, Line: 3109. The fixed version is: 2.3.10.2. IAM mod_auth_openidc versión 2.3.10.1 y anteriores de ZmartZone, está afectado por: Vulnerabilidad de tipo Cross-Site Scripting (XSS). • https://github.com/zmartzone/mod_auth_openidc/commit/132a4111bf3791e76437619a66336dce2ce4c79b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6059 – mod_auth_openidc: Shows user-supplied content on error pages
https://notcve.org/view.php?id=CVE-2017-6059
12 Apr 2017 — Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for Apache (aka mod_auth_openidc) before 2.14 allows remote attackers to spoof page content via a malicious URL provided to the user, which triggers an invalid request. Mod_auth_openidc.c en el módulo de autenticación Ping Identity OpenID Connect para Apache (también conocido como mod_auth_openidc) en versiones anteriores a 2.14 permite a los atacantes remotos falsificar el contenido de la página a través de una URL malintencionada... • http://www.openwall.com/lists/oss-security/2017/02/17/6 • CWE-20: Improper Input Validation •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6062
https://notcve.org/view.php?id=CVE-2017-6062
02 Mar 2017 — The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.5 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "OIDCUnAuthAction pass" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic. El módulo "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (también conocido como mod_auth_openidc) en versiones anteriores a 2.1.5 para el servidor HTTP de Apache no omite cabeceras OI... • https://github.com/pingidentity/mod_auth_openidc/blob/master/ChangeLog • CWE-287: Improper Authentication •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6413 – mod_auth_openidc: OIDC_CLAIM and OIDCAuthNHeader not skipped in an "AuthType oauth20" configuration
https://notcve.org/view.php?id=CVE-2017-6413
02 Mar 2017 — The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic. El módulo "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (también conocido como mod_auth_openidc) en versiones anteriores a 2.1.6 para el servidor HTTP de Apache no omite cabeceras OIDC_CL... • http://www.securityfocus.com/bid/96549 • CWE-287: Improper Authentication •