CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14857 – mod_auth_openidc: Open redirect in logout url when using URLs with leading slashes
https://notcve.org/view.php?id=CVE-2019-14857
A flaw was found in mod_auth_openidc before version 2.4.0.1. An open redirect issue exists in URLs with trailing slashes similar to CVE-2019-3877 in mod_auth_mellon. Se encontró una fallo en mod_auth_openidc anterior de la versión 2.4.0.1. Existe un problema de redireccionamiento abierto en las URL con barras diagonales en mod_auth_mellon. An open redirect flaw was discovered in mod_auth_openidc, where it handles logout redirection. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14857 https://github.com/zmartzone/mod_auth_openidc/commit/5c15dfb08106c2451c2c44ce7ace6813c216ba75 https://github.com/zmartzone/mod_auth_openidc/commit/ce37080c6aea30aabae8b4a9b4eea7808445cc8e https://github.com/zmartzone/mod_auth_openidc/pull/451 https://groups.google.com/forum/#%21topic/mod_auth_openidc/boy1Ba3Gdk4 https://lists.debian.org/debian-lts-announce/2020/07/msg00028.html https://access.redhat.com/security/cve/CVE-2019-14857 https://bugzilla&# • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1010247
https://notcve.org/view.php?id=CVE-2019-1010247
ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Redirecting the user to a phishing page or interacting with the application on behalf of the user. The component is: File: src/mod_auth_openidc.c, Line: 3109. The fixed version is: 2.3.10.2. IAM mod_auth_openidc versión 2.3.10.1 y anteriores de ZmartZone, está afectado por: Vulnerabilidad de tipo Cross-Site Scripting (XSS). • https://github.com/zmartzone/mod_auth_openidc/commit/132a4111bf3791e76437619a66336dce2ce4c79b https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.3.10.2 https://lists.debian.org/debian-lts-announce/2019/08/msg00029.html https://lists.debian.org/debian-lts-announce/2020/07/msg00028.html https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-001_mod_auth_openidc_reflected_xss.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6059 – mod_auth_openidc: Shows user-supplied content on error pages
https://notcve.org/view.php?id=CVE-2017-6059
Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for Apache (aka mod_auth_openidc) before 2.14 allows remote attackers to spoof page content via a malicious URL provided to the user, which triggers an invalid request. Mod_auth_openidc.c en el módulo de autenticación Ping Identity OpenID Connect para Apache (también conocido como mod_auth_openidc) en versiones anteriores a 2.14 permite a los atacantes remotos falsificar el contenido de la página a través de una URL malintencionada proporcionada al usuario, lo que desencadena una solicitud no válida. A text injection flaw was found in how mod_auth_openidc handled error pages. An attacker could potentially use this flaw to conduct content spoofing and phishing attacks by tricking users into opening specially crafted URLs. • http://www.openwall.com/lists/oss-security/2017/02/17/6 http://www.securityfocus.com/bid/96299 https://access.redhat.com/errata/RHSA-2019:2112 https://github.com/pingidentity/mod_auth_openidc/commit/612e309bfffd6f9b8ad7cdccda3019fc0865f3b4 https://github.com/pingidentity/mod_auth_openidc/issues/212 https://github.com/pingidentity/mod_auth_openidc/releases/tag/v2.1.4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V3HIGXMUKJGOBMAQAQPGC7G5YYWSUVA https://lists. • CWE-20: Improper Input Validation •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6062
https://notcve.org/view.php?id=CVE-2017-6062
The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.5 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "OIDCUnAuthAction pass" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic. El módulo "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (también conocido como mod_auth_openidc) en versiones anteriores a 2.1.5 para el servidor HTTP de Apache no omite cabeceras OIDC_CLAIM_ y OIDCAuthNHeader en una configuración "OIDCUnAuthAction pass", lo que permite a atacantes remotos eludir la autenticación a través de tráfico HTTP manipulado • https://github.com/pingidentity/mod_auth_openidc/blob/master/ChangeLog https://github.com/pingidentity/mod_auth_openidc/issues/222 https://github.com/pingidentity/mod_auth_openidc/releases/tag/v2.1.5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V3HIGXMUKJGOBMAQAQPGC7G5YYWSUVA https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EJXBG3DG2FUYFGTUTSJFMPIINVFKKB4Z https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject. • CWE-287: Improper Authentication •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6413 – mod_auth_openidc: OIDC_CLAIM and OIDCAuthNHeader not skipped in an "AuthType oauth20" configuration
https://notcve.org/view.php?id=CVE-2017-6413
The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic. El módulo "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (también conocido como mod_auth_openidc) en versiones anteriores a 2.1.6 para el servidor HTTP de Apache no omite cabeceras OIDC_CLAIM_ y OIDCAuthNHeader en una configuración "AuthType oauth20", lo que permite a atacantes remotos eludir autenticación a través de tráfico HTTP manipulado. It was found that mod_auth_openidc did not properly sanitize HTTP headers for certain request paths. A remote attacker could potentially use this flaw to bypass authentication and access sensitive information by sending crafted HTTP requests. • http://www.securityfocus.com/bid/96549 https://access.redhat.com/errata/RHSA-2019:2112 https://github.com/pingidentity/mod_auth_openidc/blob/master/ChangeLog https://github.com/pingidentity/mod_auth_openidc/commit/21e3728a825c41ab41efa75e664108051bb9665e https://github.com/pingidentity/mod_auth_openidc/releases/tag/v2.1.6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V3HIGXMUKJGOBMAQAQPGC7G5YYWSUVA https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproje • CWE-287: Improper Authentication •