CVE-2024-12056
Description
The Client secret is not checked when using the OAuth Password grant type. By exploiting this vulnerability, an attacker could connect to a web server using a client application not explicitly authorized as part of the OAuth deployment. Exploitation requires valid credentials and does not permit the attacker to bypass user privileges.
Weakness Type (CWE)
References
Other References
Frequently Asked Questions
What is CVE-2024-12056? +
How do I check if I'm vulnerable to CVE-2024-12056? +
Related Vulnerabilities
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, given any pre-existing XSS / …
Backpropagate is a Python library for fine-tuning large language models on a single GPU. In versions 1.1.0 and 1.1.1, the …
In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. …
DVP80ES3 with Improperly Implemented Security Check for Standard vulnerability.
Whale Browser before 4.33.325.17 allows an attacker to escape the iframe sandbox in a dual-tab environment.
Whale browser before 4.35.351.12 allows an attacker to escape the iframe sandbox in a sidebar environment.