Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
omniauth-microsoft_graph vulnerable to account takeover (nOAuth)
Vulnerability Description
omniauth-microsoft_graph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the `email` attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the `email` is used as a trusted user identifier. This could lead to account takeover. Version 2.0.0 contains a fix for this issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Vulnerability Type
认证机制不恰当
Vulnerability Title
Omniauth::MicrosoftGraph 授权问题漏洞
Vulnerability Description
Omniauth::MicrosoftGraph是Peter Philips个人开发者的一个适用于 Microsoft Graph Api 的 Omniauth 策略。 Omniauth::MicrosoftGraph 2.0.0之前版本存在授权问题漏洞,该漏洞源于没有验证用户email属性的合法性,导致容易受到nOAuth错误配置的影响。
CVSS Information
N/A
Vulnerability Type
N/A