Security
Headlines
HeadlinesLatestCVEs

Tag

#oauth

GHSA-2r2v-9pf8-6342: WireGuard Portal v2 Vulnerable to OAuth Insecure Redirect URI / Account Takeover

### Impact Users of WireGuard Portal v2 who have OAuth (or OIDC) authentication backends enabled can be affected by an Account Takeover vulnerability if they visit a malicious website. ### Patches The problem was fixed in the latest alpha release, v2.0.0-alpha.3. The [docker images](https://hub.docker.com/r/wgportal/wg-portal) for the tag 'latest' built from the master branch also include the fix.

ghsa
Open in Source
#vulnerability#web#git#oauth#auth#docker
GHSA-237r-r8m4-4q88: Guzzle OAuth Subscriber has insufficient nonce entropy

### Impact Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source (https://github.com/guzzle/oauth-subscriber/blob/0.8.0/src/Oauth1.php#L192). This can leave servers vulnerable to replay attacks when TLS is not used. ### Patches Upgrade to version 0.8.1 or higher. ### Workarounds No. ### References Issue is similar to https://nvd.nist.gov/vuln/detail/CVE-2025-22376.

Chrome Extension Compromises Highlight Software Supply Challenges

The Christmas Eve compromise of data-security firm Cyberhaven's Chrome extension spotlights the challenges in shoring up third-party software supply chains.

16 Chrome Extensions Hacked in Large-Scale Credential Theft Scheme

SUMMARY A sophisticated attack campaign has compromised at least 16 Chrome browser extensions, exposing over 600,000 users to…

Non-Human Identities Gain Momentum, Requires Both Management, Security

The number of Non-Human Identities (NHIs) in many organizations has exploded. Key trends, drivers, and market landscape in this fast-developing area are explored.

GHSA-3q97-vjpp-c8rp: Socialstream has a Potential Account Takeover Vulnerability in Social Account Linking Due to Missing User Consent After OAuth Callback

## Description When linking a social account to an already authenticated user, the lack of a confirmation step introduces a security risk. This is exacerbated if ->stateless() is used in the Socialite configuration, bypassing state verification and making the exploit easier. Developers should ensure that users explicitly confirm account linking and avoid configurations that skip critical security checks. ## Resolution Socialstream v6.2 introduces a new custom route that requires a user to "Confirm" or "Deny" a request to link a social account.

Vendors Chase Potential of Non-Human Identity Management

Non-human identities authenticate machine-to-machine communication. The big challenge now is to secure their elements and processes — before attackers can intercept.

GHSA-p7c9-8xx8-h74f: Apache Kafka's SCRAM implementation Incorrectly Implements Authentication Algorithm

Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Issue Summary: Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802 [1]. Specifically, as per RFC 5802, the server must verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message. However, Kafka's SCRAM implementation did not perform this validation. Impact: This vulnerability is exploitable only when an attacker has plaintext access to the SCRAM authentication exchange. However, the usage of SCRAM over plaintext is strongly discouraged as it is considered an insecure practice [2]. Apache Kafka recommends deploying SCRAM exclusively with TLS encryption to protect SCRAM exchanges from interception [3]. Deployments using SCRAM with TLS are not affected by this issue. How to Detect If You Are Impacted: If your deployment uses SCRAM authent...

API Security in Open Banking: Balancing Innovation with Risk Management

Any technological innovation comes with security risks, and open banking is no exception. Open banking relies on APIs…