BIT-gitlab-2020-13272

OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code...Read More ...

Continue Reading
BIT-gitlab-2020-13272

OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code...Read More ...

Continue Reading
The SEC Won’t Let CISOs Be: Understanding New SaaS Cybersecurity Rules

The SEC isn't giving SaaS a free pass. Applicable public companies, known as "registrants," are now subject to cyber incident disclosure and cybersecurity readiness requirements ...

Continue Reading
CVE-2024-21632

omniauth-microsoft_graph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the email attribute of the user nor d ...

Continue Reading
CVE-2024-22403

Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time ...

Continue Reading
Authentik vulnerable to PKCE downgrade attack

Summary PKCE is a very important countermeasure in OAuth2 , both for public and confidential clients. It protects against CSRF attacks and code injection attacks. Because of this bug, an attacker can ...

Continue Reading
Authentik vulnerable to PKCE downgrade attack

Summary PKCE is a very important countermeasure in OAuth2 , both for public and confidential clients. It protects against CSRF attacks and code injection attacks. Because of this bug, an attacker can ...

Continue Reading
Midnight Blizzard Exploiting Legacy OAuth for Lateral Movement

Summary: Midnight Blizzard exploited a legacy test OAuth application with elevated access due to a common password and lack of multi-factor authentication (MFA). The attackers leveraged this access to ...

Continue Reading

Back to Main

Subscribe for the latest news: