- Risk: critical
- CVSS v3 Base Score: 9
- CVSS v3 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
- CWE ID: CWE-284
- CWE Name: Improper Access Control
Description
Within the oauth2 app an attacker is able to pass in a specially crafted redirect-url which bypasses
the validation code and thus allows the attacker to redirect callbacks to a TLD controlled by the attacker.
Affected
- oauth2 < 0.6.1
Action taken
Harden the validation code in the oauth2 app. As a workaround you can disable the “Allow Subdomains” option to disable the vulnerability