Page 3 of 14 results (0.009 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

ZmartZone IAM mod_auth_openidc 2.3.10.1 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Redirecting the user to a phishing page or interacting with the application on behalf of the user. The component is: File: src/mod_auth_openidc.c, Line: 3109. The fixed version is: 2.3.10.2. IAM mod_auth_openidc versión 2.3.10.1 y anteriores de ZmartZone, está afectado por: Vulnerabilidad de tipo Cross-Site Scripting (XSS). • https://github.com/zmartzone/mod_auth_openidc/commit/132a4111bf3791e76437619a66336dce2ce4c79b https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.3.10.2 https://lists.debian.org/debian-lts-announce/2019/08/msg00029.html https://lists.debian.org/debian-lts-announce/2020/07/msg00028.html https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-001_mod_auth_openidc_reflected_xss.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication module for Apache (aka mod_auth_openidc) before 2.14 allows remote attackers to spoof page content via a malicious URL provided to the user, which triggers an invalid request. Mod_auth_openidc.c en el módulo de autenticación Ping Identity OpenID Connect para Apache (también conocido como mod_auth_openidc) en versiones anteriores a 2.14 permite a los atacantes remotos falsificar el contenido de la página a través de una URL malintencionada proporcionada al usuario, lo que desencadena una solicitud no válida. A text injection flaw was found in how mod_auth_openidc handled error pages. An attacker could potentially use this flaw to conduct content spoofing and phishing attacks by tricking users into opening specially crafted URLs. • http://www.openwall.com/lists/oss-security/2017/02/17/6 http://www.securityfocus.com/bid/96299 https://access.redhat.com/errata/RHSA-2019:2112 https://github.com/pingidentity/mod_auth_openidc/commit/612e309bfffd6f9b8ad7cdccda3019fc0865f3b4 https://github.com/pingidentity/mod_auth_openidc/issues/212 https://github.com/pingidentity/mod_auth_openidc/releases/tag/v2.1.4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V3HIGXMUKJGOBMAQAQPGC7G5YYWSUVA https://lists. • CWE-20: Improper Input Validation •

CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0

The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.6 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "AuthType oauth20" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic. El módulo "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (también conocido como mod_auth_openidc) en versiones anteriores a 2.1.6 para el servidor HTTP de Apache no omite cabeceras OIDC_CLAIM_ y OIDCAuthNHeader en una configuración "AuthType oauth20", lo que permite a atacantes remotos eludir autenticación a través de tráfico HTTP manipulado. It was found that mod_auth_openidc did not properly sanitize HTTP headers for certain request paths. A remote attacker could potentially use this flaw to bypass authentication and access sensitive information by sending crafted HTTP requests. • http://www.securityfocus.com/bid/96549 https://access.redhat.com/errata/RHSA-2019:2112 https://github.com/pingidentity/mod_auth_openidc/blob/master/ChangeLog https://github.com/pingidentity/mod_auth_openidc/commit/21e3728a825c41ab41efa75e664108051bb9665e https://github.com/pingidentity/mod_auth_openidc/releases/tag/v2.1.6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V3HIGXMUKJGOBMAQAQPGC7G5YYWSUVA https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproje • CWE-287: Improper Authentication •

CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0

The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka mod_auth_openidc) module before 2.1.5 for the Apache HTTP Server does not skip OIDC_CLAIM_ and OIDCAuthNHeader headers in an "OIDCUnAuthAction pass" configuration, which allows remote attackers to bypass authentication via crafted HTTP traffic. El módulo "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (también conocido como mod_auth_openidc) en versiones anteriores a 2.1.5 para el servidor HTTP de Apache no omite cabeceras OIDC_CLAIM_ y OIDCAuthNHeader en una configuración "OIDCUnAuthAction pass", lo que permite a atacantes remotos eludir la autenticación a través de tráfico HTTP manipulado • https://github.com/pingidentity/mod_auth_openidc/blob/master/ChangeLog https://github.com/pingidentity/mod_auth_openidc/issues/222 https://github.com/pingidentity/mod_auth_openidc/releases/tag/v2.1.5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V3HIGXMUKJGOBMAQAQPGC7G5YYWSUVA https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EJXBG3DG2FUYFGTUTSJFMPIINVFKKB4Z https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject. • CWE-287: Improper Authentication •