Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Client secret not mandatory in UmbracoIdentityExtensions
Vulnerability Description
UmbracoIdentityExtensions is an Umbraco add-on package that enables easy extensibility points for ASP.Net Identity integration. In affected versions client secrets are not required which may expose some endpoints to untrusted actors. Since Umbraco is not a single-page application, the implicit flow is not safe. For traditional MVC applications, it is recommended to use the authorization code flow, which requires the client to authenticate with the authorization server using a client secret. This flow provides better security, as it involves exchanging an authorization code for an access token and/or ID token, rather than directly returning tokens in the URL fragment. This issue has been patched in commit `e792429f9` and a release to Nuget is pending. Users are advised to upgrade when possible.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
信息暴露
Vulnerability Title
UmbracoIdentityExtensions 信息泄露漏洞
Vulnerability Description
UmbracoIdentityExtensions是丹麦Umbraco公司的一个 Umbraco 附加包。 UmbracoIdentityExtensions存在信息泄露漏洞,该漏洞源于不需要客户端密钥,这可能会将某些端点暴露给不受信任的参与者。
CVSS Information
N/A
Vulnerability Type
N/A